The use of multi-factor authentication (MFA) is being re-evaluated in light of recent bypass attacks. An example of this is the breach of the DevOps platform CircleCi in December. It was discovered that a single malware infection on an engineer's laptop was not detected by antivirus software, and the engineer had the privileges to generate production access tokens. Attackers were able to hijack a corporate SSO session that had passed 2FA, allowing them to gain access to customer data. The data was encrypted at rest, but the attackers were able to extract the encryption keys from a running process, potentially giving them access to the encrypted data. In response, CircleCI changed all tokens and advised customers to do the same for all secrets stored on the platform. The weakness in this attack was the SSO authentication token, which is created after MFA has happened. Attackers can exploit this by compromising the local environment to grab the session cookie at the right moment. This is known as a pass-the-cookie attack, which is being traded on the dark web. Organizations using MFA should review their deployment and identify any potential weak points.
This Cyber News was published on blog.isc2.org. Publication date: Wed, 08 Feb 2023 21:54:03 +0000