Multi-Factor Authentication: How Attackers Still Exploit It

Overview

Over the past years, we’ve urged companies to start using Multi-factor authentication (MFA) – and many have followed through. Unfortunately, we have a long way to go.

The Good News

MFA protects by adding a layer of security using an out-of-band authentication step, making it harder for attackers to gain access to an organization. Not to mention, it keeps security top-of-mind for users, since they’re notified during each authentication.

I most commonly see MFA deployed on services such as:

• Virtual Private Network (VPN) solutions like Cisco, Palo Alto, Fortinet and Juniper
• Email, including Outlook Web Applications and other webmail solutions
• Remote workstation solutions like RDP and Citrix Virtual Apps

The Bad News

As beneficial as MFA is, I’m seeing a problem with its implementation.

Attackers can abuse additional login portals to discover valid credentials and compromise systems.

The primary issue: Companies aren’t using MFA across the board. For example, you may require MFA when logging into webmail, but not when users log in with VPN. If you end up overlooking less-common authentication endpoints, you are putting your company at risk.

It’s best to implement MFA company-wide, even if it requires more work and investment. Compromised credentials mean bigger issues for your company in the long run (stolen data and costly bills for expensive “clean-up” following a breach).

Half-hearted MFA: How it goes wrong

To help you better understand what’s at stake, I’ve outlined an example of what can happen when you don’t use multi-factor authentication across the board. Below, you’ll see an Outlook login protected with MFA — so far, so good.

To log in, users must enter their username and password along with a token, which seems safe. But an attacker looking at this Outlook web application sees the company exposes an Exchange ActiveSync endpoint in addition to the Outlook login page.

The attacker knows they can gain entry using brute-force attacks, and sometimes without triggering account lockouts or requiring MFA. Brute-force attacks work to guess a user’s password by assuming the use of common passwords such as Summer2020 or Password1.

Here’s a look from some of our continuous penetration testing, using credentials to log in to Exchange ActiveSync without MFA:

When an attacker successfully guesses the password, the password is used to read the contents of the user’s inbox. An attacker can then gain additional information to use in future attacks, such as VPN configuration files and shared accounts.

When attackers get their hands on credentials, your company is their oyster. They can do all kinds of damage: stolen credentials can be used to fuel more complex social engineering, exploit vulnerabilities that require authentication and to steal other users’ credentials.

8 tips for fixing MFA gaps

To prevent this from happening, I’ve outlined some steps you can take to make sure your company uses a MFA properly.

• Discover all external logins at your company. Ones that grant remote access take priority when implementing MFA and when disabling or implementing additional security controls.
• Choose an MFA solution you can implement across all of your high-risk assets.
• Disable any Exchange or OWA services you don’t use (IMAP, ActiveSync, etc.).
• When implementing MFA, force all users to enroll within a short timeframe. Accounts with incomplete (self) enrollment are at risk of attackers enrolling on their behalf.
• Audit all endpoints for misconfigured authentication.
• Implement additional security controls, if needed, to protect against brute-force attacks and username enumeration.
• Continuously audit these endpoints, using Continuous Penetration Testing, to ensure updated techniques can’t bypass MFA.
• Require users to connect to the organization's network prior to connecting to company resources.

Still have questions? Want to dive deeper?

Give us a call or email us at contact@sprocketsecurity.com