What can we learn about 2 serious, high-profile MFA bypass and passwordless hacks?
There’s a lot of talk whenever serious cyber breaches make the news. Companies assure stakeholders they’ll improve security measures and cybersecurity tech providers promise solutions.
Damage control as a result of fear can easily become cybersecurity theater to make people feel safer, rather than actually improving security.
While cyber breaches can be devastating and are better avoided, they can also teach us how attackers work and identify vulnerabilities. Two high-profile breaches like SolarWinds and various Lapsus$ attacks reveal some problems in today’s security standards.
Here are some lessons learned and ways to avoid the kind of cybersecurity theater that claims any given tech solution is a fix-all.
What happened with Solarwinds
(source)
One of the most shocking security breaches in recent years was a software supply chain attack exposed in December of 2020. It compromised 18,000 SolarWinds customers, including Fortune 500 companies and government agencies, allowing hackers access to sensitive information for more than nine months.
This attack was executed over an extended period as a Russian-state hacking group known as Cozy Bear infiltrated SolarWinds and embedded malicious code into a software update. Orion is a network monitoring tool that thousands of SolarWinds customers accepted updates for, unknowingly installing a backdoor with it and exposing their networks.
The cyber breaches continued as attackers used network access gained through the Orion backdoor to steal Microsoft credential tokens, enabling them to impersonate existing users and accounts. A Microsoft report informing users of the breach said the admin permissions were “acquired through an on-premises compromise to gain access to an organization’s trusted SAML token-signing certificate.” This allowed attackers, “To forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.”
The same hacking group targeted a think tank organization multiple times as well, using software supply chain and MFA bypass tactics of a similar flavor. The attackers breached the organization’s MFA provider, Duo, through Outlook Web Application (OWA), stealing Duo’s secret key. Ars Technica says, “This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie. After successful password authentication, the server evaluated the duo-sid cookie and determined it to be valid.”
This method of falsely validating credentials meant the attacker only needed a username and password, allowing a complete MFA bypass. When clever attack methods are deployed through trusted third-party software, MFA bypass becomes easy for bad actors and passwordless security like tokens are rendered useless.
Lessons from these cyber breaches
While it’s true that supply chain attacks are extremely difficult to prevent, that’s not the only element in a complex and sophisticated hack like the SolarWinds breach. There’s a false sense of security in cybersecurity theater measures that assume threats are neutralized with simple “best practices” like using MFA, passwordless solutions, and timely security updates.
Takeaways:
The security of trusted vendors is equally as important as your own company’s security
Timely software updates are important, but that’s bad news if updates are corrupted
Attacks don’t directly hack passwordless cryptographic tokens
Small companies may not feel at risk, but they are if they share vendors with other targets
Clever hackers have developed many MFA bypass tactics
(source)
Another well-known hacking group is a data extortion gang called Lapsus$. These attackers have also perpetrated many high-profile security breaches on large companies like Microsoft and Nvidia using social engineering to obtain sensitive data in order to ransom it for payment.
In March of 2022, Lapsus$ leaked nearly 190GB of Samsung source code that included algorithms for biometric unlocks on mobile devices and other sensitive information. In the same month, the hacking group also breached Okta, a Single Sign-On service provider, by accessing customer support tickets, Slack messages, and internal user management tools.
Many of the MFA bypass strategies that Lapsus$ uses exploit human behavior by getting a user to comply with a request and grant access. This type of social engineering takes various forms.
MFA prompt bombing
MFA is legitimately a strong security measure. That’s why attackers don’t attempt to break directly into accounts. Instead, they exploit gaps at the human level as an MFA bypass method. This can look like:
“Bombing” a user with so many MFA prompts that they’re finally annoyed into accepting one
Sending few prompts per day, which is less suspicious, but still catches people off guard
Calling the user and impersonating IT, requesting MFA access as a company procedure
Obtaining credentials
Lapsus$ also uses other MFA bypass strategies to compromise accounts and data without having to crack MFA head-on. Instead of tricking a user into performing the MFA, attackers obtain credentials in other creative ways like:
Using malicious password stealers to get passwords and session tokens
Buying passwords and session tokens on the black market
Bribing employees, vendors, or partners to hand over credentials and MFA approval
Searching public code for unintentionally exposed information
MFA bypass targets human vulnerabilities
(source)
Passwordless solutions and MFA are indeed much more secure than simple passwords and logins. But that doesn’t mean cybersecurity theater can’t overstate their effectiveness. No matter what security measures your organization is using, people are still a factor and attackers love to target human vulnerabilities.
These facts should not deter InfoSec officers from crafting the most comprehensive security plans with the best tools and products. It’s simply a reminder that none of those things guarantee security. Shrewd attackers like Lapsus$ are creative and persistent. This means:
Using MFA prevents many attacks but not all
FIDO2 and other passwordless strategies are quite secure but increase hacker creativity
Hackers don’t give up and the landscape is always evolving
Gaps between human users and even the best technology can quickly become breaking points
The best tech can’t stop socially engineered cyber breaches
We’ve learned from SolarWinds that software supply chain infiltrations are extremely difficult to catch. Fast software updates for security patches are a good thing, until they’re compromised. And third-party products that are shared by many customers can cause wide, cascading damage.
Lapsus$ has taught us that, yes, MFA is better than no MFA. Both passwordless MFA and SSO can reduce user vulnerabilities — but they don’t completely eliminate them. Social engineering attacks continue to increase and as hackers invent new ways to catch people unaware. Keeping all of this in mind means there’s no single tool or tactic to prevent cyber breaches. Don’t let the cybersecurity theater put you to sleep. Instead, use the best solutions available to you and never stop learning from real-world examples.