In the end, some employees who were targeted approved the MFA requests and the attackers gained access to these accounts.
Most phishing attacks employ similar social engineering techniques to trick users into turning over their credentials.
Attackers hammering MFA-protected accounts is also a concerning development in the identity threat landscape.
Most successful credential compromise attacks occur with accounts that don't have MFA enabled.
According to this quarter's Talos IR report, using compromised credentials on valid accounts was one of two top initial access vectors.
This aligns with findings from Verizon's 2023 Data Breach Investigations Report, where the use of compromised credentials was the top first-stage attack in 44.7% of breaches.
Early last year, in research published by Oort1, now a part of Cisco, found that 40% of accounts in the average company had weak or no MFA in the second half of 2022.
Looking at updated telemetry from February 2024, this number has dropped significantly to 15%. The change has a lot to do with wider understanding of identity protection, but also an increase in awareness thanks to an uptick in attacks that have targeted accounts relying on base credentials alone for protection.
Phishing, while one of the most popular methods, isn't the only way that attackers gather compromised credentials.
Attackers often attempt to brute force or password spraying attacks, deploying keyloggers, or dumping credentials.
While an attacker can gain a foothold in a network using an ordinary user account, it's unlikely they'll be able to further their attacks due to limited permissions.
According to Cisco's telemetry, administrator accounts see three times as many failed logins as a regular user account.
Another resource threat actors target is credentials for accounts that are no longer in use.
These dormant accounts tend to be legacy accounts for older systems, accounts for former users that have not been cleared from the directory, or temporary accounts that are no longer needed.
Guest accounts are an account type that repeatedly gets overlooked.
One of the best ways to defend against these attacks is by using MFA. Simply confirming that a user is who they say they are-by checking on another device or communication form-can go a long way towards preventing compromised credentials from being used.
The attacker can then input the MFA SMS when prompted and gain access to the targeted account.
In addition to AitM attacks, SIM swapping attacks have all but rendered SMS-based authentication checks useless.
In 2022, phishing resistant authentication methods such as passwordless accounted for less than 2% of logins.
To illustrate, let's look at when the threat actor begins hammering the login with the compromised credentials.
This Cyber News was published on feedpress.me. Publication date: Tue, 09 Apr 2024 14:43:05 +0000