TLDR

MFA is more than just the tech. Train your associates on when an MFA request is potentially malicious. Have a policy for reporting unrequested MFA prompts to Information Security and have a process for how IT will respond to that alert. Additionally, if you are using Azure MFA there is some new hotness that can significantly beef up your current MFA implementations, and move you closer to a glorious passwordless world.

Overview

Multifactor authentication is a critical security technology and is one of the best effective countermeasures to account takeover. In addition confirming the usual account credentials, MFA ensures our associates must also verify their identity via additional methods (Bio-metric gestures, FIDO 2 keys, the state of a managed device, rolling codes, soft tokens, SMS, phone call etc.) before they can access an account.

MFA is an essential technology, but not MFA methods and implementations are created equal. Adversaries are increasingly adopting new methods to successfully subvert MFA.

MFA must be more than just a product we enable.

As an IT consultant I often work with Enterprise Organizations to help them design and implement their Identity and zero trust security models. While most organizations fully recognize the importance of MFA, many forego the training, processes, and policies that should go hand in hand with a well implemented solution. I’ve deployed MFA for companies only to be called back in months later to orgs that chose not to rollout training after a security event. In most cases audit logs show that MFA worked exactly as designed, the affected employee simply approved a malicious request without stopping to consider the validity or source.

When we deploy MFA solutions, comprehensive training must be rolled out along side the technology. When being challenged for MFA, team members need to stop and ask themselves, “Did I just take an action that would normally trigger an MFA prompt?” and “Is the time of the request or the website challenging me appropriate given my work flow and schedule”. If the answer to either is no, or I’m not sure, there must be a policy to notify Information security for additional review. If security determines that the request is malicious, or the user is actively being targeted by an adversary, a pre-defined process should be followed to protect the account. Appropriate actions can include things like username or password rotation, beefing up or creating a temporary conditional access policy, additional education, and enhanced monitoring and auditing etc.

MFA Bypass Attack Vectors

Cozy Bear (also known as Nobelium, APT29, and the Dukes) is an elite hacker group that works for Russia’s Foreign Intelligence Service. From looking at Mandiant’s post mortem on the Lapsus$ and SolarWinds we can see how threat actors were able to compromise systems protected by MFA by repeatedly sending MFA requests, often late at night or at inconvenient times.

“Mandiant has also observed the threat actor executing multiple authentication attempts in short succession against accounts secured with multi-factor authentication (MFA). In these cases, the threat actor had a valid username and password combination. Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”

This sort of MFA bombing is not new but it’s starting to become more common. The flip side of this attack is more subtle, instead of multiple prompts at once attackers will sometimes try to sneak one or two in each day during normal working hours. This can be harder to detect and an associate is more likely to assume it’s an legitimate prompt.

Other novel approaches has been found by Talos, where attackers have crafting using MFA fake web pages to capture and then pass along One-Time-Use codes automatically to the legitimate site to access protected info. These OTP codes can either be time-based rolling codes or text/email based verification, the end result is the same.

Varonis Threat Labs also recently published an article showing how they bypassed the MFA process at box.com by abusing session authentication tokens. A video showing the exploit can be found here.

New MS hotness!

This month Microsoft quietly rolled out into preview two new features that help combat bypass attacks,

Number Matching

Number matching has been around for a bit if you’ve been using passwordless phone login, but the format has been updated for the better

The previous number matching system asked you to tap one of 3 numbers to match what was displayed on screen, now end users will need to type the two digit number shown on the device/page they are trying to authenticate into. In my opinion, this new matching implementation is one of the strongest forms of MFA I’ve come across that’s not a FIDO2 token. By requiring users to match what they see on screen, this helps mitigate MFA bombing and drive-bys as the logins are originating from another device that the end user won’t be able to see. This results in a 1 in 99 chance that a user will blindly approve a request without thinking. Also by using authenticator approvals as a primary method, we reduce our dependency on OTPs which can be phished.

Number matching is available for any application that performs SSO against Azure AD. An optional NPS server with the Azure AD MFA extension installed can further extend this functionality to other services as well. The NPS server will act as a radius target for VPN appliances or other services that support radius tie in for MFA.

Microsoft’s Number Matching Documentation

Additional Context Notifications

With this new feature enabled, when a user receives an MFA push notification in the Microsoft Authenticator app, they'll now see the name of the application that requests the approval along with a map of the location based on the IP address where the sign-in originated from. This will allow users to make a more informed decision on whether or not to approve an MFA request by making it easier to detect anomalies. If you enable this feature, and use SDWAN, VPN or other methods to rout internet traffic, that end users know to expect to see a different physical location if the internet traffic is egressing the network from a non-local area that users wouldn’t know to trust.

Microsoft Additional Context Documentation