Our news
Explore the Pulse of Progress:
ZSI.ai's Latest
innovations updates milestones collaborations achievements ventures insights trends announcements discoveries
in Tech.
How Cyber-Criminals are Circumventing Multifactor Authentication
For years, cyber defenders have touted multifactor authentication (MFA) as a so-called ‘silver bullet’ against account takeover. As cyber-criminals continually ramped up their social engineering efforts, MFA quickly became the barrier of choice between a tricked user and a successful credential phishing attack. However, as security professionals are all too aware, nothing stops opportunistic threat actors in their tracks for long. We are now seeing the beginnings of a shift in the threat landscape driven by the wide adoption of MFA. Cyber-criminals are pivoting to exploit MFA weaknesses – from simply inundating users with authentication request alerts to more sophisticated phishing kits that compromise authentication tokens. Threat actors now realize it’s more effective (and cheaper) to steal credentials and log in than trying to hack through technical controls. Once they have siphoned access details from just one employee, they move laterally, stealing even more credentials, compromising servers and endpoints, and downloading sensitive organizational data – it’s now far too easy for an attacker to turn one compromised identity into an organization-wide ransomware incident or data breach. While MFA remains an important preventative control for account takeover, organizations must realize that simply implementing this additional layer of authentication is no longer enough. Security teams need to consider the detective controls they have in place to spot compromised users before too much damage is done.
Authentic Delivery
MFA can help reduce organizations’ attack surfaces by adding another layer of account security. It supplements the username and password model with another factor only the user possesses, such as their mobile phone. Yet, as the new vulnerabilities show, MFA does not provide enough security on its own. Two key aspects to consider are how the user obtains the secondary authentication method and how easy it is to be siphoned by the attacker.
Email is one option for delivering the authentication code to the user – but this option is arguably the least secure, leaving the user vulnerable should their email accounts get compromised too, which is more likely if the attacker already has their credentials.
One-time codes sent by SMS is another option. While this is better than no additional authentication, it’s relatively unreliable – and text messages can be easily intercepted and spoofed. Malicious actors also use ‘sim hijacking,’ where they impersonate and get control of a user’s phone number. With your phone number, hackers can intercept any two-factor authentication codes sent by text message.
Using authenticators installed on the user’s device is a better option. Authenticators display PINs that users can input into the authentication system, which serves as the secondary step. However, this can still be bypassed using social engineering. For example, attackers targeting specific individuals may call them after stealing credentials to convince the targeted user to provide the MFA token too.
Our researchers have also seen an evolution in phish kits that can collect Oauth and MFA tokens in real time, sending them back to threat actors to use before expiration.
Social Engineering Overload
As with the majority of cyber-attacks, social engineering is at the center of the successful siphoning of users’ MFA tokens. Cyber-criminals are exploiting not just technology but also human weaknesses. Below, we take a look at the tactics threat actors are using to bypass MFA:
MFA Alert Fatigue
You may wonder how a cyber-criminal can effectively obtain a user’s MFA token if it’s on a mobile device or within an app. Well, with many MFA providers allowing users to accept a phone app push notification or to receive a phone call and press a key as a second factor, cyber-criminals are taking advantage of this.We are now seeing malicious attackers targeting users with a wave of ‘MFA fatigue attacks,’ where they bombard victims with MFA push notifications – at an unprecedented rate – to trick them into authenticating their login attempts. This tactic is relatively simple – spam a user in quick succession so that they end up approving the login attempt to stop the alerts.
MFA Phishing Kits
It’s important to note that while many users are unaware of this threat, it’s nothing new. Proofpoint’s threat researchers verified vulnerabilities bypassing MFA two years ago, but threat actors are now demonstrating more sophisticated approaches. We now see designated tools used by cyber-criminals to execute MFA bypass attacks. For example, our security researchers have found phishing kits designed to circumvent MFA by stealing session cookies are increasingly popular on the cybercrime underground. While MFA phishing kits have been around for several years, what is concerning today is the rapid adoption and spread of these MFA phishing kits.
Blocking the Bypass
Even though cyber-criminals are increasing their attempts to bypass this technology, MFA will remain an important preventative control for account takeover. Most leading organizations have implemented MFA and have largely been able to discount credential phishing for several years. To continue reaping the rewards of MFA, organizations must assess their ability to detect account compromise, not just prevent it. While MFA bypass feels like a relatively new security challenge, the attack chain we are seeing is tried and tested. Cyber-criminals are targeting people, with most of these attacks starting with an email, aiming to trick a user into handing over credentials and granting organizational access. Organizations must recognize the need for strong email security – as most attacks start here. A critical first step in ensuring the success of MFA controls is to first block the threats from reaching users in the first instance with modern email security that can detect malicious URLs. Next, organizations need to implement technology to identify and respond to compromised users and remove what attackers need to complete their crime: privileged account access. A unique approach to identity threat detection and response (ITDR) will help organizations remediate privileged identity risks and understand the potential ramifications of compromise, such as access to critical data and intellectual property. Finally, organizations must protect data with next-generation data loss prevention (DLP) solutions that prevent data from getting into the wrong hands. By implementing robust technical controls, organizations can remove guesswork from employees – a lot of technology would need to go wrong here for a user to make a mistake. However, as with all threats, a combination of people, process and technology is crucial, so security teams should ensure they are raising awareness among their workforce of the dangers of MFA bypass to help their users identify illegitimate alerts.
March 24, 2023 - Next-Gen.
A 2023 Guide to Secure Cloud Deployment for Improved Application Security
Authentication/authorization, data integrity and storage protection; these three pillars correspond to the current major challenges in application security and are essential to ensure the confidentiality, integrity and availability of data stored in the cloud.
Through the strategies and best practices outlined in this guide, organizations can safeguard their cloud deployments against potential security breaches and protect their applications from unauthorized access and data theft.
Authentication/Authorization
Cloud deployment of applications introduces unique challenges to security since the infrastructure is shared among multiple tenants and accessible over the internet.
Moreover, applications are the weakest security link, so it is crucial to establish strict controls over who can access the system and how they access it. This is where identity and access management (IAM) comes in, as it allows you to manage user identities, control access to resources and enforce security policies across the entire infrastructure.
The following are some best practices to follow:
✅ Identify the specific tasks and resources users need to access to perform their jobs effectively.
✅ Create IAM roles that grant access only to the specific tasks and resources needed for each role.
✅ Use groups to organize users with similar job functions and assign the appropriate roles to each group.
✅ Regularly review and update roles to ensure they meet users’ needs while maintaining the principle of least privilege.
In any case, IAM cannot be viewed as a standalone security measure, as it needs to be integrated with other enterprise security processes to be effective.
For one, IAM can be integrated with security information and event management (SIEM) systems to provide real-time monitoring and alerting of security events across the entire infrastructure. This helps identify and respond to potential security incidents before they can cause harm.
Data Integrity
According to a report released last year by Tripwire, 44% of organizations reported their biggest application security concern as protecting data. One of the ways breaches happen in application security is through data leakage, which can happen in a number of ways.
For example, an attacker could access the API endpoint and extract sensitive information. Alternatively, an attacker could intercept network traffic and capture sensitive data in transit.
Cloud deployments are often subject to constant change, with new services and APIs being frequently added or modified. This can make it difficult to maintain security controls and ensure all APIs are properly secured. In 2022, a report by Salt identified a 117% rise in malicious API traffic over the previous year.
In addition, regarding data integrity, according to IBM, WS-Security can protect against tampering or unauthorized modification of SOAP messages transmitted between web service providers and consumers. It achieves this through digital signatures, which are created using cryptographic algorithms that ensure the authenticity and integrity of the message.
Storage Protection
There are various ways of protecting data storage platforms.
To start with, by using homomorphic encryption, cloud applications can ensure that sensitive data is protected at all times, including when it is being processed or analyzed in the cloud.
As such, it helps to reduce the risk of data breaches and other security incidents that can occur when sensitive data is stored in the cloud. This is because homomorphic encryption allows computations to be performed on the encrypted data without revealing the underlying plaintext, which prevents tampering with the data.
In addition, when it comes to cloud deployments, secure enclaves protect the storage of critical data, such as encryption keys, digital certificates and other sensitive information that unauthorized users can access and manipulate. Notably, Apple’s latest devices use secure enclaves integrated into their system on chips (SoCs).
By isolating the storage and execution of such data and operations within a secure enclave, the risk of exposure to external threats is significantly reduced, making it much harder for attackers to access and compromise the data.
Conclusion
Secure cloud deployment is critical to protect applications and data stored in the cloud. By following the best practices outlined in this guide, businesses can mitigate security risks and safeguard against threats such as data breaches, unauthorized access and cyber-attacks.
