3 min read

MFA Bypass: An Emerging Cyber Threat

MFA Bypass: An Emerging Cyber Threat
Authors:  John Farley, Stephen Ramey

Multifactor authentication (MFA), a longstanding bedrock of cyber defense strategy, has come under attack. While MFA remains a key and effective requirement to preventing many cyberattacks, we're seeing evidence that threat actors are beginning to develop tactics that may defeat it in certain circumstances.

MFA defined

MFA is a security process that requires authorized users to provide multiple forms of identification prior to gaining access to a system, application, or network. They are designed to prevent social engineering attacks that manipulate victims into transferring large sums of money or other sensitive data to criminals. Typically, MFA combines at least two of the following factors:

  • Something you know: A password, an answer to a security question or a PIN
  • Something you have: A mobile device, security token or a smart/chip card
  • Something you are: Biometric data

MFA bypass: The latest emerging threat


Despite the robust cybersecurity that MFA may provide, it's not 100% effective at all times. According to Steve Ramey, CEO of leading cybersecurity firm IronGate, organizations need to be aware of emerging criminal tactics that aim to defeat MFA:

Malware: End-user devices are infected with malware to remotely control the device. This malware can be delivered through phishing emails, malicious links or compromised websites. Once compromised, adversaries usually have full control of the device. Their objectives are multiple:

  • Key log passwords and steal session tokens.
  • Intercept one-time passcodes.
  • Stealthily transmit information.
  • Gain remote access connectivity.

Malware infects and then remotely controls devices.
Used with permission.

Man-in-the-middle (MITM) attack: In a MITM attack. the adversary intercepts the victim's transmissions. Phishing emails are used to deliver the malicious URL, and adversary websites appear as legitimate sites with typical branding (most are cloned from real sites). Objectives include:

  • Obtain passwords and one-time passcodes.
  • Alter communications.
  • Obtain MFA codes, cache login credentials and revisit accounts.
  • Impersonate the victim.
MITM intercepts the victims transmissions.
Used with permission.

"Phishing resistant" MFA

Organizations can deploy several strategies to counter the MFA bypass threats. IronGate's Steve Ramey outlines these three strategies:

Use of strong authenticators: Phishing-resistant MFA involves using authentication factors that aren't easily intercepted or duplicated by attackers. These factors can include hardware security keys or biometric identifiers like fingerprints or facial recognition.

Direct communication: The authentication factor communicates directly with the authentication server or service. For example, a hardware security key might use a physical connection (like USB) or a wireless protocol (like NFC or Bluetooth) to authenticate directly with the service, without the user having to enter any information that phishers could capture.

No reusable passwords: Unlike traditional MFA methods that might still rely on a password as one factor, phishing-resistant methods avoid any credentials that could be reused or intercepted. Even if a phisher tricks a user into attempting a login on a fake site, the phisher can't capture the necessary information to replicate the login elsewhere.

Leveraging Cyber insurance

Cyber insurance and other insurance policies may help organizations transfer risks associated with losses stemming from social engineering and many of the latest emerging cyber threats.

Many policies provide access to crisis services, including breach coaches, IT forensics investigators and several other breach response experts. Those with cyber insurance should be mindful of claim reporting obligations, requirements to use insurance panel breach response vendors, evidence preservation and issues that may impact attorney-client privilege.

Cyber insurance applicants should be prepared for underwriting scrutiny around several cyber security controls. For more information around how to prepare, see our Cybersecurity Controls Checklist.

Mitigating a social engineering financial loss

If your company has been attacked successfully, and a financial transfer was completed, there are a few ways to mitigate risk and exposure.

  • Immediately notify the remitting and receiving banks and seek to freeze funds if possible. If the transfer is caught within 48 hours, the bank may be able to recover some or all of the funds. Also, engage experienced legal counsel as soon as possible to maximize the chance of freezing the funds.
  • Compile copies of the emails documenting the fraud with details of the fraudster's account receiving the funds.
  • Report the incident to local law enforcement agencies as soon as possible, particularly in the receiving jurisdiction. These authorities often have the power to freeze funds, helping the victim avoid costs for obtaining court orders on their own. These crimes can be reported to the joint FBI/National White Collar Crime Center — Internet Crime Complaint Center (IC3) website at ic3.gov.
  • Initiate civil action against the criminal. It's likely the recipient of the funds won't answer the civil action, enabling the victim to enter a default judgment on its full claim by default. However, recovering the funds could be difficult.
  • Hire an independent forensic investigator to identify the extent of the network intrusion. These investigators can tell what information may have been accessed and give advice on actions to take to add security features as appropriate.
  • Determine through legal counsel whether you have any reporting obligations to regulators, business partners or other affected individuals.

Additional resources

Find resources and alerts at CISA's Stop Ransomware page, including the CISA Stop Ransomware Guidefor information on ransomware preparedness.

For the latest cyber threat information and alerts, visit cisa.gov.

To contact local FBI offices to report suspicious cyber activity, visit fbi.gov or the Internet Crime Complaint Center.

For a cyber emergency such as a ransomware attack in progress contact CISA online at www.cisa.gov/cisa-central or by calling CISA Central at (888) 282-0870.



No question about cybersecurity is too small.

Contact us today to learn more about our Digital Forensics and Incident Response (DFIR) services.

Ramey

 

Steve Ramey has spent the past two decades helping clients protect, investigate, and respond to events involving their digital interests. He has led hundreds of data breach investigations, assessed incident response and security programs, and successfully advised organizations through extortion negotiations.

 


Navigating the Cybersecurity Maze: Your Guide to Cybersecurity Training

3 min read

Navigating the Cybersecurity Maze: Your Guide to Cybersecurity Training

As the digital landscape evolves, the demand for skilled cybersecurity professionals has never been higher. Whether you're looking to pivot your...

Read More
An SMB's Guide to Budget-Friendly Cybersecurity Tabletop Exercises

4 min read

An SMB's Guide to Budget-Friendly Cybersecurity Tabletop Exercises

Make Tabletop Exercises a Cost-Effective Way to Enhance Your Organization's Incident Response

Read More
Managing Cybersecurity Threats in 2024

1 min read

Managing Cybersecurity Threats in 2024

October 24, 2023 IronGate CEO Steve Ramey on PLUS Podcast Series, Season 2, Episode 1

Read More