These are the very controls that we really don’t check up on and frankly, would have a hard time doing so.
Multifactor authentication (MFA) is what I’m talking about. We enable it on practically everything these days, but is it really working?
This is something that hasn’t been talked about much until now. Think about all the effort that it takes to verify that MFA is properly turned on for all your users...
Having MFA turned on makes us all feel a little safer. We have a secondary control to prevent someone getting to important information or breaking into our network environment. What we haven’t been talking as much about is how easy it is to bypass this control.
At first, there were articles on how social engineering was the key to making MFA defunct (or at least a little less useful). Maybe the jury’s still out on how easy it is to trick a user into approving a request through MFA that was actually malicious.
The tides turning on MFA?
Now hackers have automated ways to attack your MFA. Since over 75% of users today actively use MFA, attackers have been working hard to find ways around it. And they’ve found a rather successful path to breaking through.
Many of these automated mechanisms rely on transparent reverse proxy. The transparent reverse proxy will intercept and redirect data in transit between the internet and the application. When implemented for good, these proxies do things like analyze HTTPS traffic for malicious payloads...but when used maliciously, these become an easy path to man in the middle attacks.
There are a range of kits out there ready to go. These kits make it easy for even budding hackers. These are simple open-source kits with human readable code (also many more sophisticated kits with higher levels of code obfuscation) already out in the marketplace today, allowing someone to steal usernames, passwords, MFA tokens, and other sensitive information (think social security numbers and credit cards).
How do these kits work in the wild?
Phishing. The attacker successfully sends a phishing email with a link. Maybe to a fake website with a login page. I know this seems like old news and old methods, but it’s not broken (users still are clicking links and divulging information) so hackers are still doing it.
What this new kit brings to the table is a malware-planted man in the middle transparent reverse proxy. This intercepts the traffic—including credentials and session cookies (even to legitimate sites). The session cookies include MFA tokens. And these attacks are completely automated.
Some security experts are considering these attacks game changing… not for the defenders. With a simple point and click –getting a user to click a simple link—they can now bypass most 2FA mechanisms.
The only 2FA mechanisms not impacted by this type of attack is the FIDO Universal 2nd Factor (U2F) protocol-based tokens. For those unfamiliar with U2F, these are physical security keys that act as the second factor in place of an SMS message or email (for example).
So… What can you do in light of these MFA bypassing kits?
Switch to a more hardened 2FA solution or using a hardware-based MFA device.
Get your users involved in seeing what’s at stake—MSPs are seeing the difference in communicating security risk through cyber stack evaluations of their own networks and their client environments.
If you can get people to understand what’s at stake from simply clicking a link, you will have a much easier time getting their buy in to process and technology changes within their organizations.
Technology will always fail. There is always a way around controls. Now is the time to get your users to realize that they have a stake in the security game and start fighting back.
