Emerging Influence of the Ministry of Foreign Affairs in Significant Assaults, According to Study Uncovers
In a recent report, Cisco Talos, the cybersecurity arm of Cisco Systems, has highlighted the common methods used by attackers to bypass multifactor authentication (MFA), a critical security measure designed to protect against unauthorised access.
According to the data released by Cisco Talos, MFA was involved in nearly half of all security incidents encountered by their incident response teams during the first quarter of the year. One out of every five engagements with Cisco Talos revealed that users did not properly implement MFA.
Attackers are leveraging several strategies to bypass MFA. One such method is session hijacking, where attackers steal session tokens or cookies to take over valid authenticated sessions, effectively circumventing MFA protections without needing to compromise the actual credentials again.
Another tactic involves attackers disabling or uninstalling MFA-related security applications on victims' machines using Windows Management Instrumentation Commands (WMIC). This direct interference with the MFA infrastructure on the host weakens or eliminates additional authentication barriers.
Sophisticated phishing tools like Evilginx have also been developed to perform man-in-the-middle attacks, intercepting both credentials and session tokens in real-time. This allows attackers to bypass traditional MFA methods such as SMS codes, authenticator push notifications, time-based one-time passwords (TOTP), and email verification.
In a quarter of the cases, incident response specialists responded to fraudulent MFA push notifications sent by attackers. Third-party contractor compromises are also being used by attackers to bypass MFA.
Cisco Talos emphasises that an ideal MFA implementation would be using an app-based push with a challenge question, rather than relying on easily guessed passwords or credentials. Basic MFA with SMS-based notification, while the least secure, is still better than no MFA at all, according to Nick Biasini, head of outreach at Cisco Talos.
The research underscores the need for additional protective measures addressing session security and endpoint integrity to bolster even sophisticated MFA deployments. As corporate stakeholders seek to better understand the risk calculus of their technology stacks, the question remains: Are we a target?
Cybersecurity specialists from Cisco Talos recommend using an app-based push with a challenge question for MFA implementation, as it provides a higher level of security compared to easily guessed passwords or credentials.
In a quarter of the cases, attackers bypassed MFA by sending fraudulent push notifications to victims, highlighting the need for additional protective measures like session security and endpoint integrity.
Data-and-cloud-computing organizations should consider Evilginx, a sophisticated phishing tool, as a threat to bypass traditional MFA methods like SMS codes, authenticator push notifications, TOTP, and email verification.
