Regardless of the industry, multi-factor authentication is no longer optional. Prior to the broad adoption of MFA, those without it often found themselves as targets of cyberattacks. Now that hackers expect organizations to have MFA, it alone is no longer a deterrent. As MFA becomes more popular, the demand for ways to bypass it has skyrocketed.
As MFA increases in popularity, so has the demand for technology to bypass it. In the last year alone there has been a boost in tactics used to overcome multi-factor authentication. Prompt Bombing is a tactic that has been widely used recently and is a form of social engineering that leverages annoyance, fear, and trickery to gain access to target accounts.
Prompt bombing attacks literally bombard targeted accounts with countless MFA push notifications. To ensure that the notifications are as inconvenient as possible, they are usually at a strategic time like the middle of the night. This strategy is to frustrate users who are already caught off guard in the hopes that they will do anything to stop the middle of the night annoyance, and typically that means approving the MFA challenge-response. Once this happens, it opens the door for hackers to register their own devices as the MFA of choice for future logins, which grants them unlimited access to the targeted account.
Another way that hackers are bypassing conventional MFA solutions is by using Man-in-the-Middle tool kits. MitM phishing toolkits are one of the most recent evolutions of 2FA phishing tools. MitM toolkits function similarly to real-time phishing toolkits but do not need a human operator since everything is automated through a reverse proxy.
Similarly, a more recent phishing tactic we are seeing is Adversary-in-the-Middle. AitM attacks are phishing emails that typically include an HTML attachment that look like a voice memo. When the individual opens the attachment, their browser is redirected to a site that eventually leads to a fake login site. When the target enters their credentials on the phishing site, they are actually entering legitimate account credentials that would allow the actual account to be compromised. This means that the phishing page was functioning as an AitM agent, intercepting the whole authentication process and necessary data from the HTTP requests. This included passwords and, more importantly, session cookies. Once the cookies were obtained, the attacker was able to inject them into the browser allowing them to bypass the MFA process.
As a whole, the security industry has known that as security measures like MFA became foundational, threat actors would find a way to circumvent it. So, that leaves the question of what happens if the user does everything right? What if they didn’t give in to the 2 am push notifications, and they know not to click on strange email attachments? How can an organization protect itself from a threat that is seemingly invisible and no one's fault?
The solution to evolving threats is evolving security. While most MFA solutions currently on the market are solid MFA products, the reality is that threat actors' technology is evolving faster. While attacks like AitM do involve some user error, the fact that they are able to bypass the MFA challenge-response entirely is problematic, to say the least.
The solution to this is clear: deploy continuous MFA that recognizes the moment an account has been compromised. If the attacker doesn’t have the Twosense agent, their authentication goes no further. If the attacker is using RDP to access the compromised user’s machine, the behavioral mismatch will be identified and action can be taken.
Assuming that traditional MFA is an antidote to sophisticated attacks simply isn’t working anymore - organizations have to adopt a newer and even stricter “zero trust” posture where the assumption is that attackers can pass MFA challenges one way or another.