Multi-Factor Authentication (MFA) is one of the most effective ways to protect your network -- but only if you do it properly. That's a hard lesson one NGO learned after hackers turned their MFA against them. Cyber actors exploited the security feature to gain entry into their network.
On March 15, 2022, the US government released a flash bulletin detailing the incident. There, it was stated that foreign hackers used Cisco's Duo MFA and exploited its default configurations to get access into the network. They then leveraged a known vulnerability to access and steal documents from the victim's cloud and email accounts.
So how did that happen? And, how do you keep your business from experiencing the same fate?
At ITS, we've helped hundreds of businesses bolster their cybersecurity efforts. In this article, we'll help you understand how the attack happened and what you could do differently to prevent a similar outcome from happening to you. To do that, we'll dive into the following:
- How Did the Hackers Bypass MFA?
- What Happens When Hackers Get Through Your MFA?
- Is MFA Still a Viable Security Measure?
- How to Improve MFA Security
How Did the Hackers Bypass MFA?
According to the alert issued by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), the cyber actors took advantage of a misconfigured account set to default MFA protocols to access the victim's network.
The hackers cracked the inactive account by guessing the password through brute force methods. After that, they took advantage of Duo's default settings that allowed them to self-enroll a new device for MFA, complete the authentication requirements, and obtain access to the victim's network. Once inside, they were able to set a foothold within the security perimeter.
It's important to note that while the hackers were able to bypass the MFA, they were only able to do so because the target account's login credentials were easily compromised. In short, it had a weak password.
What Happens When Hackers Get Through Your MFA?
Once they get inside, hackers will work hard to set footholds within the network so they can move around in it. According to Edward Griffin, a Principal at Intivix, an ITS partner in San Francisco, threat actors will take a look at your environment and find the best way to exploit its vulnerabilities.
"If they get past the identity gate, they will need to find some way to penetrate the actual assets of the given network," he said. Unless you have robust security systems actively monitoring all endpoints, that's not very hard to do. Once hackers can breach inside your network, they're already past the tricky part.
Griffin explained that once malicious actors figure out your environment, they might not even need any special hacking expertise to figure out its weakness. They could just run through a list of known vulnerabilities for your operating system and apps or just purchase an attack from the dark web that can do the work for them.
In the case of the unnamed NGO, the foreign hackers found that the target device was unpatched for "PrintNightmare" (CVE-2021-34527). A Microsoft vulnerability that made headlines last year that should have already been resolved if the right patch had been installed.
The vulnerability enabled the attackers to gain administrator privileges. That also allowed them to obtain the login credentials for additional domain accounts and disable MFA. Using the new compromised accounts without MFA enforced they were able to move laterally to the victim's cloud storage and email accounts and access desired content.
Is MFA Still a Viable Security Measure?
The definitive answer to that question is yes. While MFA can be circumvented, it will force cybercriminals to jump extra hurdles that may turn them away and search for an easier target.
If we use the incident described in the FBI-CISA alert as an example, the attack sequence started with the hackers cracking a weak password before they were even able to access the MFA. It was something that could have been prevented with a strict password policy.
"[MFA is] not 100% effective. But, it is highly effective. It's, by far, still the most impactful thing anyone, any organization can do to increase their security posture," Griffin said. "It's not just a good idea. It's going to become mandatory to a certain extent," he added.
How to Improve MFA Security
Let's address the elephant in the room. The attack detailed in this article could have been prevented or mitigated if the victim had taken some precautionary steps. These extra steps might be inconvenient, but they pay dividends when it counts. According to Griffin, "if you want to be secure, you've got to do more than the bare minimum." That's the only way to combat cyber threats effectively.
To prevent the same outcome from happening to your business, check out these tips on how to improve your MFA:
Utilize Geo IP Filtering
Geo IP filtering allows you to restrict network access if traffic is coming from a certain geographic location.
According to the FBI-CISA alert, Russian state-sponsored cyber actors were responsible for the attack on the unnamed NGO. Duo Access, a licensed version of Duo MFA, has a geo IP filter that could deny access coming from Russia or other geographic locations where cyber-attacks frequently originate. You can also set a Geo IP filter for your firewall and other apps that have that feature for good measure.
"[Geo IP filtering] might help. Not in all cases, perhaps not even in the majority of cases. But it helps to try to narrow the field," Griffin said. "It can definitely be circumvented. However, it's kind of like locking your front door. An attacker can break it down, but are they going to take the time doing it? Or, are they going to move on to the next target?" he explained.
Enforce Stringent Password and Account Lockout Policy
According to the Verizon 2021 Data Breach Investigations Report, credentials are the primary means cyber actors hack organizations. In fact, the report found that 61% of breaches were attributed to leveraged credentials.
If the NGO had a strict password policy in place, it could have prevented the attack in the first place. "This incident required that bad actors had compromised credentials. They can do that by either cracking a password, intercepting a username and password combination, or just by brute force methods. [A password policy] is going to mitigate that somewhat," Griffin stated.
He also explained that an account lockout policy would prevent hackers from using brute force attacks to gain access to your network. According to Griffin, if a bad actor has reached a certain number of failed login attempts, they should be locked out of the system, and an alert should be sent to the responsible authority.
Enable "Fail Close" Policy
One of the ways the foreign hackers were able to disable MFA for domain accounts was by exploiting Duo's "fail open" default configuration. It was done by cutting off the connection between the target's MFA and Duo's server. That initiated "fail open" and allowed the cyber actor to bypass the MFA altogether.
"In a 'fail open' scenario, the loss of contact with Duo cloud servers will make it assume that you're a trusted user, and it will allow you to log in without MFA, so that's the default setting," Griffin explained.
Fail close is the alternative to the default setting. It makes it so that if Duo's server can't contact a device's MFA, it will deny that authentication request and restrict access. Griffin warned, however, that it was "a drastic alternative" as it would deny users from logging in if the server experiences any network issues.
Deny Self-Enrollment Procedures
Another way to keep cyber actors from bypassing MFA is to deny self-enrollment procedures. According to Griffin, instead of users being able to enroll for MFA on their own, organizations should have an additional step to verify the request is valid. You can do that by forcing users to contact IT admins or your managed service provider's (MSPs) helpdesk before enrolling for MFA.
Deploy Robust Cybersecurity Systems
There are no two ways about it; having robust cybersecurity systems will help prevent, detect and mitigate any threats. Systems and tools like endpoint, detection and response (EDR), security information and event management (SIEM), and next-gen firewalls are vital to keeping your network safe.
"It would be hard to detect threats at any point in time or even soon after a breach, without the benefit of all these robust security tools," Griffin shared.
According to him, having those advanced systems and the right people monitoring your network can even help you detect cyber actors that are hiding and lurking inside it. "If the environment has things like endpoint protection and intrusion detection systems, any attempt to laterally move within the network can get caught. So just because they have access doesn't mean they have fully compromised that network," he stated.
Want to Improve Your MFA Security?
MFA is still a viable and effective security measure, but you have to do more than the bare minimum. MFA is just one layer of security, and you need multiple layers for it to work. Enforcing strict policies and processes, deploying robust security tools, and having a skilled team are all necessary to prevent attacks like the one described in this article. In Griffin's own words, "It's systems, it's people, it's process."
At ITS, we help our clients navigate the current threat landscape with smart cybersecurity measures that strike a balance between security and productivity. If you want to learn more, check out our article on The Best Cybersecurity for Small Businesses.