Disabling Two-Factor SMS Codes to Avoid Interception
Recently, the research team over at Cylance released an interesting and detailed write-up on a persistent hacking operation targeting multiple targets in multiple countries, with a recent focus on Japanese critical infrastructure systems.
Known as Operation Dust Storm, the investigative report covers a lot of various indicators and interesting technical tidbits. Something that stood out to me when reading their report was the use of purposely-built Android trojans designed to forward SMS messages to the attacking group. From the Cylance report:
The group rapidly expanded their mobile operations in May 2015. The initial backdoors were relatively simple, and would continually forward all SMS messages and call information back to the C2 servers.
This made me wonder, did any of the target organizations use two-factor authentication, and, if they did, was it via SMS login codes? This presents an inherent problem with using SMS as an authentication method since there are numerous ways that one could intercept or obtain the SMS passcodes.
Users of Duo’s two-factor solution who are concerned about the security of using SMS passcodes can disable their use by following the directions outlined here and Duo Access customers will want to look here. Of course, the more secure two-factor option here is to use Duo’s Push technology and not SMS codes.
We do realize there are other two-factor solutions that utilize SMS login codes as their only option - how do you handle this particular threat? If your two-factor solution does not support an alternate method like Duo Push, there are very little options. One thing you can do is scan your authentication logs for unusual activity, or educate users to look out for odd or seemingly spurious activities surrounding SMS messages.
If you have the ability to restrict logins for accounts to specific ranges, such as only allowing authentication from US-based IP addresses only, this does help ever so slightly, although depending on the attack toolset and the attacker, they could launch an attack from a remote system that is within the specific range or meets enough criteria to get around restrictions.
What is the likelihood that you or your company will be impacted by this style of attack? Actually the odds are somewhat low, however, if you are unprepared for such an attack, the odds of it being successful become quite high.
These types of adversaries usually have deep pockets as far as fun tricks to attempt, and have a pretty good idea about what works and what doesn’t. While a rich two-factor authentication solution is an excellent defense, things like Android trojans that target SMS messages remind us that even rich solutions have to have the ability to adjust to a changing attack scenario. For any security product or solution you deploy, remember that the whole “set it and forget it” mentality no longer applies. Stay vigilant!