Threat Actors Turn to AiTM to Bypass MFA
Threat actors have started moving away from authenticating via legacy protocols to bypass multifactor authentication (MFA) in Microsoft 365, according to an Expel report on cybersecurity trends.
Instead, malicious actors are adopting frameworks such as Evilginx2 to facilitate adversary-in-the-middle (AiTM) phishing attacks to steal login credentials and session cookies for initial access and MFA bypass.
The report notes while FIDO2 and certificate-based authentication can stop AiTM attacks, most organizations haven’t quite made the jump to FIDO-only MFA factors. Many still use time-based one-time passwords (TOTPs) and push notifications for MFA.
“While these certainly raise the bar considerably, gaps remain and AiTM attacks will continue to exploit those gaps,” said Ben Brigida, director of security operations at Expel.
He called the findings concerning because they exemplify how resilient attackers are and how quickly they demonstrate that resilience.
“They are constantly evolving and innovating to bypass defenses and discover new ways to compromise networks,” he explained.
In addition, identity threat attacks, including business email compromise, remained a top threat to the company’s customers in 2022—which is consistent with their 2021 findings.
BEC is an umbrella term that includes things like W2 scams, romance scams, real estate scams, lottery scams and even payroll fraud.
Brigida explained that successful BEC attacks can allow cybercriminals to perpetrate other types of attacks, like phishing.
If the victim can be tricked into handing over their credentials, the attacker can effectively enter “through the front door,” he said.
BEC attempts represented half of all the incidents Expel’s security operations center saw, and Brigida said he expected that number to grow.
“It’s a big issue is because it’s the entry point for a lot of different kinds of attacks aimed at achieving different goals,” he said. “BEC attempts are happening to all different kinds of organizations and target all types of users—no matter their title or department.”
Once an attacker has valid credentials and is inside the network, they will likely be able to access essential controls and sensitive information—which is why it’s important for organizations to take preemptive measures.
“The takeaway here is that security controls and education to help employees identify phishing attempts need to span the entire organization,” Brigida said.
The report also unveiled a rise in cloud-based security incidents, with attackers targeting long-term access keys and service account credentials as a means for initial access.
Attackers are also abusing public-facing Amazon Elastic Compute Cloud (EC2) instances to perform server-side request forgery or domain name system (DNS) rebind attacks in AWS, or to deploy tooling and malware.
“We suspect this is happening for two primary reasons: More opportunity as organizations continue to move to the cloud and more familiarity from attackers with the cloud attack surface,” Brigida explained. “We expect the relative percentage of incidents originating in the cloud to continue to rise, and even accelerate, for years to come.”
He adds remote work seems to have contributed to a more rapid adoption cycle for a wider variety of SaaS apps.
This has led to the proliferation of identities and devices accessing a company’s data in more places, and crucially not on the company’s monitored internal network.
“There are pockets of important information in places that aren’t always visible to defenders in any environments—cloud-native or traditional,” he noted.
He added that as organizations continue to adopt SaaS apps and shift the attack surface out from traditional infrastructure and into the cloud, their defensive postures have had to change too.
“There are always growing pains associated with change. It’s not exactly more complex, just different in a way that favors the attackers now,” Brigida said. “As defenders learn what data is available, what they need, and new logs get added, the arms race will continue to swing back and forth.”
This year, he expects to see BEC threat actors continue to adopt the use of AiTM phishing frameworks to steal session cookies to gain initial access and bypass MFA.
“TOTP and push notification MFA do not stop this class of attack,” he noted. “As a result, BEC will become an even bigger problem in 2023. But perhaps this will be the compelling event that organizations need to shift to FIDO2.”
Brigida also predicted there will be an uptick in MFA push notification fatigue attacks.
“Simply put, they work, and the fact that an increasing number of organizations turn to SSO to provide access to their enterprise applications means that they’re juicy targets for attackers,” he explained.
Accessing SSO platforms means they get the “keys to the kingdom,” so they’re not shy about blitzing their targets with MFA push notification requests in the hopes that they’ll eventually just approve one.
“Luckily, security teams have a few options at their disposal for preventing this,” he says. “They can disable the push notification feature of the MFA solution and require users to enter a secure PIN.”
Brigida said another option is to use the number-matching setting common in popular platforms, which requires the user to enter numbers from the platform to approve the authentication request.