In the first quarter of 2024, nearly half of all security incidents our team responded to involved multi-factor authentication issues, according to the latest Cisco Talos report.
A quarter of these incidents were caused by users accepting fraudulent MFA push notifications originating from attackers, while 21% of incidents were due to improper MFA implementation.
The report revealed the most common MFA bypass attempts observed were MFA push attacks.
In these scenarios, attackers who have obtained a user's password bombard the user's MFA-enabled device with push notifications, hoping the user will eventually accept one.
Attackers have become more creative in their MFA bypass techniques, for example stealing authentication tokens from employees and replaying session tokens with completed MFA checks, allowing attackers to impersonate trusted users and move laterally across networks.
Attackers have also used social engineering tactics to convince IT departments to add new MFA-enabled devices controlled by the attackers.
The report noted instances where contractors were compromised, and their phone numbers changed to receive MFA codes on the attacker's device.
Other techniques include gaining administrative privileges on compromised endpoints to deactivate MFA software and conducting insider attacks where compromised employees approve MFA push notifications sent by attackers.
The Tycoon 2FA platform, for example applies the attacker-in-the-middle technique, where an attacker server hosts a phishing web page, intercepts victims' inputs, and relays them to the legitimate service.
This tool now incorporates MFA prompts, capturing session cookies if users accept the request, allowing attackers to bypass MFA even if credentials have been changed.
Jasson Cassey, CEO of Beyond Identity, pointed to the Verizon DBIR 2024 report, which found credential theft and phishing are the top two entry points for bad actors in web applications.
He added it's a misconception that push notifications and challenge questions are more secure because neither requires communication through a mobile network, which exposes an additional threat vector of SIM swapping attacks.
Cassey said the best way to ensure that MFA is secure and effective is to configure phishing-resistant MFA by default for application access.
Patrick Tiquet, vice president of security and architecture at Keeper Security, said employee training and education on cybersecurity best practices are crucial for protecting an organization from evolving cyber threats.
Employees must also be trained to question unexpected notifications immediately and report any suspicious activity without delay.
Tiquet recommended simulated phishing attacks and push notification exercises to help employees recognize and respond to threats.
Employing zero-trust architecture, where every request is verified regardless of its origin, and implementing the principle of least privilege further strengthens an organization's defense against most cyberattacks.
Transitioning to a zero-trust security model and implementing the principle of least privilege are recognized as best practices.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 26 Jun 2024 19:13:05 +0000