The escalating threat of MFA bypass attacks

Matt Frye at Hornetsecurity explains why attacks that circumvent multifactor authentication security processes are becoming more prevalent

Threat actors are constantly adapting to the uptake in cyber-security safeguarding measures amongst businesses. One area that presents an escalating threat to business owners and their customers centres round a range of MFA bypass attacks, which are set to increase in volume and sophistication. It is critical to be aware of this and take the right steps to defend against this form of cyber-attack.

Multi-factor Authentication (MFA) requires users to fulfil two or more prompts to access an account. These could include biometrics or one-time passwords (OTPs), which are four to eight codes, ensuring identity verification or authorisation. MFA adds a layer of robust security, but it does not mean accounts are invulnerable. 

Why MFA bypass attacks will increase

Cyber-criminals increasingly employ "MFA bypass kits" to exploit the growing adoption of MFA as a security measure. Examples of such kits include EvilProxy, the W3LL panel (private phishing kit), and Evilginx (open source and known as a penetration testing utility for these style of attacks). All of these create deceptive log-in pages that capture a user’s credentials while passing them to the real service they are attempting to login to.

Even worse, in the presence of these kits, the user’s session token is hijacked and can then be used by attackers to login to the service as the user, while bypassing MFA. Protecting against these attacks can be challenging, as they are difficult to detect and are seemingly connected to authentic websites, all of which are designed to put the target at ease. 

Threat actors often use such bypass kits to compromise LinkedIn accounts, enabling them to impersonate trusted business connections. Brand impersonations are also commonplace with these kits. Research by Hornetsecurity’s Security Lab found that some of the top impersonated brands were leading e-commerce or delivery sites, such as DHL, Amazon, and FedEx - although LinkedIn also accounted for 2.4% of recorded impersonations.

MFA fatigue attacks

There’s another type of bypass attack gaining traction - MFA fatigue attacks. In these instances, threat actors take advantage of a user’s frustration with multiple MFA prompts for different platforms. This weariness may lead users to become less vigilant and more susceptible to phishing scams, clicking malicious links, or unintentionally revealing sensitive information.

Recently, MGM and Caesar’s casinos fell victim to MFA attacks through similar uses of social engineering. In the MGM case, the Scattered Spider group used a phone call to trick a help desk representative into resetting the company’s MFA methods, leading to data exfiltration and a ransomware attack. MGM chose not to pay the ransom, but Caesar’s, compromised through a third-party IT service provider’s breach, negotiated a $15 million payout to threat actors, indicating that MFA attackers can exploit both human and machine failings.

The growing role of AI in MFA attacks 

Threat actors are leveraging AI for even more sophisticated MFA attacks. The development of Dark Web variants of popular large language models (LLMs) like ChatGPT, such as DarkBERT and WormGPT, points towards a future where novice threat actors can automate various and authentically staged cyber-attacks. The ability for hackers to credibly translate text into other languages also opens new geographical markets for criminals, particularly in relation to countries that aren’t necessarily used to phishing attacks, for example. 

There is also the problem of how sophisticated deepfakes will be and their role in biometrically charged MFA attacks. These spoofing attacks involve replicas or imitations of an individual’s biometric details whether it is through fingerprint replications, voice recordings, or even 3D facial masks. Advanced spoofing techniques will be a challenge to biometric MFA systems as AI continues to develop in its ever-growing boom of potential.

However, AI is also being used for good. Security experts and vendors are incorporating generative AI in defensive toolkits. Notably, AI organisations like OpenAI have initiated grant programs designed to assist cyber-security organisations to “AI-Enable” their offerings.

This shift is anticipated to manifest in various applications, such as the use of AI for outlier detection, log analysis, simulated attacks (as detailed in Hornetsecurity’s Cyber Security Report 2024), and threat modelling.

Cyber-security hygiene is essential 

The majority of breached businesses do not succumb to an obscure zero-day exploit (where they learn about software or hardware of vulnerability at the point of attack) or an advanced hacking technique.

Instead, their defences falter due to the absence of robust authentication (preferably MFA with phish-resistant hardware), the allowance of simple passwords, the assignment of users as local administrators on their devices, or the lack of employee training to instil caution when clicking on links in emails.

To curb the escalating trend of MFA-related attacks, businesses must prioritise robust security measures. Implementing a balanced security strategy, fostering a culture of cyber-resilience, and staying vigilant against evolving attack methods are key steps in safeguarding.

Business leaders should set an example by participating in training that raises awareness of different attack methods and scrutinise any areas of vulnerability to avoid falling victim to malicious, ever-changing MFA-based tactics.  

Matt Frye is Head of Education at Hornetsecurity

Main image courtesy of iStockPhoto.com