Zscaler CISO, Deepen Desai recently gave a compelling presentation at the RSA conference about the vulnerabilities of multi-factor authentication (MFA). Deepen leads ThreatLabz, Zscaler’s embedded threat research team, who have been actively tracking a large phishing campaign that bypasses MFA. This campaign attracted the attention of ThreatLabz in June 2022, when researchers observed attackers increasingly relying on advanced phishing kits. The campaign also used several newly registered domains to help facilitate attacks.
This particular phishing campaign was notable for using adversary in the middle (AiTM) tactics to circumvent MFA. The attack process begins with targets receiving an email containing a malicious link. In this case the targets were all users of Microsoft email services, and usually resided in the US, UK, New Zealand or Australia. Some of the phishing emails targeted executives in the Financial, Insurance, Energy, and Manufacturing industry.
Users clicking the phishing link are directed to a phishing site, which generally steals credentials. However, with AiTM attacks, threat actors deploy a proxy between their victims and the destination website, allowing them to steal passwords and MFA-verified session cookies. In other words, when a user attempts to authenticate to a site requiring MFA, the attacker simply swipes the return cookie that verifies the session. Now, the attacker is verified and can monitor, manipulate, and steal any traffic before it reaches the user.
Unfortunately, MFA can be bypassed by simpler forms of attack as well. Last year, the threat group Lapsus$ used MFA fatigue to ultimately breach the rideshare company Uber. As the name implies, this tactic involves spamming a target with MFA notifications (sometimes in conjunction with social engineering) until they authenticate. In Uber’s case, it appears a threat actor obtained the VPN credentials of a contractor and attempted to access sensitive systems multiple times. Each login generated an MFA request. After multiple failures, the threat actor reached out to the contractor directly. They pretended to be a member of tech support, and asked the contractor to authenticate the MFA request. The contractor complied, allowing the attacker to bypass MFA by simply asking – no technical skill required.
Another popular form of bypassing MFA is subscriber identity module (SIM) swapping. Since most people use their smartphones to authenticate, threat actors found an inventive technique to “steal” their target’s phones. Instead of taking the device, adversaries convinced telecom providers to switch their target’s phone number to an attacker-controlled SIM card. With MFA requests now being sent to the attacker’s device, bypassing the security measure is a simple task.=
Focus on identity, not technology
Security technologies change over time, and yesterday’s solution is not always optimal for defending against today’s threats. It is important to remember the security intent behind the creation of MFA – user identity verification. Identity is still a vital aspect of cybersecurity, especially in a world increasingly adopting zero trust principles. While MFA’s effectiveness for user verification may be waning, other identity access management (IAM) technologies are filling the void. IAMs use a variety of approaches to verify user identity that are not susceptible to the exploits successfully leveraged against MFA. It is also important to consider other identities, such as those belonging to devices, networks, and services for example.
Performing extensive and multi-layered identity verifications may seem excessive, but it is nothing more than another step in cybersecurity’s natural progression. Originally, a single password was deemed sufficient to verify a user’s identity. As more complex and interconnected systems emerged, industries first turned to 2FA, then MFA, for user authentication. Each time the current identity verification process proved insufficient, a new, more complex one, emerged. Now that MFA is faltering, organizations should consider adopting IAM providers, AI analysis, biometrics, location data, and other indicators to verify identity.
Cybersecurity measures must constantly adapt to a rapidly changing environment. Staying ahead of adversaries often means letting go of tools that no longer fulfill their intended function. The heyday of MFA may have passed, but the promise of IAM remains vibrant for those willing to change with the times.
Just one piece of the puzzle
Authentication is a game of risk management for the enterprise, with many previously using MFA as a sledgehammer solution to address the challenge. Today, authentication is much more difficult and demands a more granular approach to balance security with user experience. For example, instead of using a one-size-fits-all MFA approach, let the sensitivity of the resource dictate the intricacy of the authentication process. A low value resource, like a timesheet system may be fine using a simple MFA from any device, from any network.
A medium sensitivity app may only need a compliant, corporate-managed device plus MFA.
A top secret resource may need a compliant, managed device, MFA with a physical token and accessed through a known network or ZTNA service. Remember, passing an MFA challenge only means the authenticator is potentially the account holder, it is not a guarantee of identity. Anything that should only be accessible by known actors should require more elaborate measures than a simple MFA check.
What to read next
Phishing is on the rise: What CISOs should know