Multifactor authentication is an important defence IT security pros should be using as part of a cybersecurity strategy, says MFA expert Roger Grimes — with a significant ‘but.’
That ‘but’ is that the solution has to be phishing-resistant.
“Most people are using easily phishable MFA solutions,” he observed in a presentation Wednesday at the BlackHat conference in Las Vegas. “Unfortunately, about 90 to 95 per cent of MFA can be phished around and bypassed.”
“I do like MFA,” said Grimes, data-driven defence evangelist for the security awareness training firm KnowBe4. “But, he added, IT “should be using phishing resistant MFA when and where they can to protect valuable data and systems.”
By coincidence, earlier in the day Cisco Systems admitted a breach that proved his point: The compromise of a Cisco employee’s personal Google account led to a threat actor getting into the company’s VPN in May. How? The employee fell for a phishing scam.
First, the attacker got the victim’s Cisco credentials that were stored in their browser. Then, to bypass the employee’s MFA protection, the hacker repeatedly sent fake push MFA messages to the employee, combined with voice calls purportedly from an organization the employee trusted, asking them to accept an MFA notification on their mobile device. Ultimately the employee gave in.
After that, the attacker enrolled a series of new devices for MFA on the employee’s account and successfully authenticated to the Cisco VPN. The attacker then escalated administrative privileges, allowing them to log into multiple systems. That alerted Cisco’s security incident response team.
While the attacker was able to move through the Cisco environment, the company says the only data they got was from a folder on the Box cloud storage platform of a compromised employee’s account. Cisco says that data wasn’t sensitive.
The Bleeping Computer news service says the stolen data, now published on the dark web, include non-disclosure agreements, data dumps, and engineering drawings.
It wasn’t clear from the Cisco report how the attacker initially compromised the employee’s Google account.
The report emphasizes what Grimes said in his presentation: User security awareness education is a key part of countering MFA bypass techniques, including telling employees what to do and how to respond if they get errant push requests on their smartphones.
On the IT side, Cisco said, organizations have to implement strong device verification to limit or block the adding of mobile devices, particularly unmanaged devices, to employee’s accounts. Leveraging risk detection to highlight events like a brand-new device being used from an unrealistic location, or attack patterns such as brute force logins, can help detect unauthorized access, Cisco added.
“Anything can be hacked, including MFA,” said Grimes. “Some of them are harder than others.” But, he added, “I can hack any MFA solution in at least five different ways.”
MFA is “oversold,” he complained, “especially when I hear things like ‘MFA stops 99 per cent of attacks.’ It doesn’t. It never will. It’s still probably one of the best things you can do to protect your environment. (But) this is not a Holy Grail solution.”
Repeated push-based attacks sent to mobile phones — like the Cisco example — rely on wearing down a victim to eventually click approval on a supposed MFA confirmation, Grimes said. He gave an example of an executive repeatedly falling for the scam despite being warned.
But he said the most common successful MFA phishing attack technique is network session hijacking, also known as a man-in-the-middle attack. It usually starts with the attacker sending the target an email message purportedly from a well-known brand — their employer, their bank, a social media site — saying because of irregular account activity the target should click on a link and verify their login credentials. The link goes to a phony website that captures not only the victim’s user name and password but also any MFA session cookie sent back by the real website. The attacker uses that cookie to get into the victim’s account.
The most recent example is a July 12th Microsoft report on a huge phishing campaign. Microsoft says this is not an MFA vulnerability.
Grimes noted that, since 2017, the U.S. government has warned government departments not to use phone or SMS-based MFA for authentication.
Use of biometrics, such as facial recognition and fingerprint scanning, aren’t strong enough on consumer devices, he maintained. They should be supplemented with another authentication factor like a password or a PIN number.
IT and security leaders should look for MFA solutions that have strong phishing protection, Grimes said, such as a solution approved by the FIDO Alliance. They will require pre-registration of sites and services. In some cases, using a security key like a YubiKey or a Google Titan may be appropriate, he said.