Security news that informs and inspires

Cisco Talos: How Threat Actors Target MFA


Multi-factor authentication (MFA) is a critical form of defense for organizations, and threat actors are recognizing that: According to the latest Cisco Talos Incident Response Quarterly Trends report, instances related to MFA were involved in some capacity in half of all security incidents that the Talos team responded to in the first quarter of 2024.

Hazel Burton with Cisco Talos talks about how threat actors are using targeted social engineering techniques to try to skirt by MFA, how phishing kits are increasingly incorporating MFA bypass tactics, and what businesses can do. Watch the video above or listen to the podcast here (MP3 download).

Below is a lightly edited transcript of the conversation.

Lindsey O'Donnell Welch: This is Lindsey O'Donnell Welch. I'm here today with Hazel Burton with Cisco Talos to talk about some of the key takeaways in the latest Cisco Talos Incident Response Quarterly Trends Report. Hazel, thanks so much for joining me today. How are you doing?

Hazel Burton: Thanks, Lindsey. I'm doing good. Thank you so much for asking me to do this. Always great to talk to you.

Lindsey O'Donnell Welch: Yeah, you as well. And it's great to keep a finger on the pulse of what's going on. And Cisco does that a ton with these quarterly trends reports that come out. And this latest one is really interesting because it really takes stock of what we're seeing in terms of the threats that are hitting organizations from BEC to ransomware. But I thought that what was really unique were the findings around multifactor authentication and how different threat actors are targeting weaknesses in MFA.

Hazel Burton: So yeah, these quarterly trends are based on real incidents that our team have been called in to help out with. And in the latest report, we saw that getting up to half of the incidents involved MFA weaknesses in some sort of guise, whether that is a poor implementation or a lack of MFA solution across the board, not putting it on critical services, or not having it on unpatched devices. And then the other one, it's something that we have seen rise and it's actually the number one security weakness for the last quarter, was users accepting fraudulent push notifications that originated from an attacker. So the user didn't generate the MFA requests and the attacker did and they've clicked accept and that has paved the way for an attacker to to enter the system.

And I guess we see this as a growing trend because attackers are really going after these credentials now. They would much rather log in to a system with valid account details than use an exploit because exploits can be a bit noisy. If you log in, it's more likely that they'll go under the radar, they'll get to a certain stage within the system, having escalated privileges, for example, and then they will deploy their attack, be it ransomware, whatever it is. So there's a strong connection between stolen credentials, the use of valid accounts and attackers really going after MFA, because MFA can be a huge barrier to attackers and organizations have done a fantastic job of implementing MFA over the years. So if it's a big barrier for attackers, they're going to throw everything they have at it. And that's what we're seeing in these incidents.

Lindsey O'Donnell Welch: Yeah, I think you make a good point that I'm seeing on my end in the security news as well, which is threat actors trying to leverage identity-based tactics as much as they can and now incorporating MFA into that. And we've seen these MFA fatigue or push bombing attacks for a couple years now. But personally, I was pretty surprised, the extent to which these attacks seem to be popping up, as outlined in the report. Was that something that surprised you as well, and what have you been seeing in previous quarters?

Hazel Burton: Probably not surprised - we also just released a blog which contains some data from Cisco Duo’s AI and security research team, because I was really interested to see why so many of these incidents had MFA at the heart of them. So that team gave me some data that looked at their entire push spray attack dataset, which was over the course of almost a year.

Ninety-five percent of these push-spray attacks aren't successful, which you know they get reported or ignored. Five percent are.

Now that might not seem like a big number, but for an organization, if just one gets through, that can be quite devastating. So yeah, we're certainly seeing these push-spray attacks continue to rise. um But I think what's quite the more important point is how targeted the attackers are being. So we're seeing the attackers try and get people at the beginning of their day when they would normally log on to their systems and authenticate for the first time. That's when they're trying to put those fraudulent pushes in because then it comes with more context. We also saw a little rise in the early evening. Less clear cut about that one, but perhaps people are on their phones, catching up with you know the new social media and an acceptance might sneak in there. So yeah, we're seeing attackers follow our normal working patterns, which is what they have done for many, many years. And this is why I think we need to be having these conversations about the installation of MFA in your organization is great, it's one of the best things that you could possibly do, but it's having that room for that there might be users who do accept by no fault of their own these these fraudulent pushes, having a plan in place to deal with that, looking at you know putting a challenge in place, so asking the users to input a number rather than just click accept or deny. Just having those extra things in place because we are seeing these - as I mentioned - attackers targeting MFA. As well, we're also seeing social engineering come back, calling up IT departments and saying, I've got a new device, could you enable MFA on my new device, please? And then that gets them into the system or potentially, and this is based on, again, incident response engagements, compromising a single endpoint, escalating their privileges, and then actually disabling the MFA from within. So it's just kind of looking at, “okay, we have MFA installed. It's not a silver bullet. Where are the potential weaknesses and where we need to shore up our defenses and have that defense in depth come through?”

Lindsey O'Donnell Welch: Right. And yeah, one part of the post that you wrote that I really loved was what you were talking about, kind of looking at those different metrics in terms of the time frame and you know the fact that these are happening between like 8 to 9 a.m. Eastern time, when people are starting to log onto their phone, they're starting to check the news, they're starting to potentially be in a position where they're on their phone.

Hazel Burton: Yeah, exactly. People are busy. They have all sorts of things that they're thinking about when they're logging on. “What feedback is going to await me today when I check my emails?” They're not thinking about what an attacker would want with their device, with their data. It's not the first thing they think about. So that's what I was talking about at the beginning, attackers are trying to go under the radar, not be spotted, and no flags to be raised when they are gaining this initial access. The same is true with these push spray attacks. Can they do it, in context, under the radar, so that the user themselves don't go, “oh, whoops, I've accidentally let an attacker in.”

Lindsey O’Donnell-Welch: Yeah. If I woke up, you know, and had a notification at like 3 a.m. or something, I think I would be like very red flags raised instantly.

Hazel Burton: Yeah. I mean, that probably does still happen as well. We do still see some of these in bombardments where you get 20, 30, 50 pushes and the easiest thing to do is go, fine. That's that's still very much the case as well.

Lindsey O’Donnell-Welch: Right, the psychology behind it all is so fascinating to me.

Hazel Burton: Yeah, the psychology for the attackers’ perspective is how do I follow how people are working today? And how do I make sure that they don't spot anything amiss? And for the defenders, it's about what are the anomalies that I need to detect? What are the things that I need to have in place that will raise that red flag for further investigation? It's a cat and mouse game, it always has been.

Lindsey O’Donnell-Welch: That's very indicative of how some other attacks have played out even beyond this type of specific attack. You mentioned too using other sophisticated tactics, including social engineering to trick IT departments into adding new MFA enabled devices. And do you see success with these other types of attacks in terms of how they play out, as opposed to doing more of the MFA fatigue route for attackers?

Hazel Burton: Yeah, it definitely depends on the attacker's aims and the organization they're going after. They have done presumably a lot of reconnaissance before they partake in the social engineering, so they may have used MFA scanners to see where the MFA is in place in an organization. They all have a good idea of what somebody has in place before they do the social engineering attacks. Again, they will try and go under the radar. But yeah, these have been popping up more and more in these incidents. So whether that be yet calling the IT department, maybe even compromising a temporary worker as well, it was like stolen authentication tokens from employees as well. There's just been a variety of ways. There's no single way that the attackers are trying to bypass MFA. It's multiple ways depending on what they have found in their reconnaissance period and they then choose the best course of action from there.

Lindsey O’Donnell-Welch: Looking ahead, how do you see attackers continuing to evolve their approach to MFA or their strategies around trying to bypass these really important protections?

Hazel Burton: Yeah, we're seeing increasing only the commercialization of cybercrime and more tools appearing on the market that do things as a service. We’ve been writing about these phishing as-a-service tools. And we have seen in recent times, some of those phishing as a service tools actually come with MFA bypass capabilities within them. So if an attacker were to use this tool and they discover that the organization, the target organization does have MFA, then there is part of this tool that can help them overcome that significant barrier. Attackers are looking at ways that they can use social engineering to try and persuade organizations to do something that they wouldn't normally. But there's also new tools popping up in the market where they can - if they don't have the necessary skills, the technical skills, or perhaps even the social engineering skills - there might be a tool that somebody else has built that they can take advantage of and use there. So yeah, we're seeing that pop up more and more. That's probably a trend that people need to be aware of, these new sort of developments in the tool sets.

Lindsey O’Donnell-Welch: I think what sticks out to me is that MFA is inherently a very necessary thing for organizations. And like you said, though, nothing is a silver bullet. And this is just another example of you know there being a defense and threat actors saying, OK, I want to figure out how to bypass that or figure out.

Hazel Burton: Yeah, but what I don't want people to take away from this video is, well, MFA seems very dangerous now, so I'm not going to install it. That is possibly one of the worst things that you could do because the attackers will know if you don't have MFA and then it's just a walk in the park for them. What I want people to take away is how secure at the moment is the MFA that we have? How robust is it? And do we have it on some of our critical services? Maybe let's just kind of test that and see if there is anything that we can do to shore up those defenses and maybe have some education from our employees as well, specifically for the IT department, if this kind of social engineering attack takes place, here's the things that you should do to escalate that from a user perspective. Also making people aware that there may be attempts to send these fraudulent pushes to their work enabled devices.

Lindsey O’Donnell-Welch: Hazel, any other takeaways that you think we should highlight in the report regarding MFA or other other types of threats you're seeing?

Hazel Burton: The one thing to mention is there are sometimes legitimate cases where MFA simply cannot be enabled. There are certain circumstances where it's the case. So under those circumstances, have a robust access policy in place or whenever MFA can't be done there is also like security keys. These are the hardware devices that you can get, which require a pin. So if MFA isn't the right sort of answer for certain aspects of your organization, there are other ways that you can really concentrate on getting that identity context in place, knowing where people are logging in, how they're logging in, and if there's anything unusual about that, a process in place for what to do to highlight that.