Multi-Factor Authentication: How attackers still abuse these (often forgotten about) logins
Are you sure MFA is fully deployed in your environment?!
Overview
Over the past years, we’ve urged companies to start using Multi-factor authentication (MFA) – and many have followed through. Unfortunately, we have a long way to go.
The Good News
MFA protects by adding a layer of security using an out-of-band authentication step, making it harder for attackers to gain access to an organization. Not to mention, it keeps security top-of-mind for users, since they’re notified during each authentication.
I most commonly see MFA deployed on services such as:
- Virtual Private Network (VPN) solutions like Cisco, Palo Alto, Fortinet and Juniper
- Email, including Outlook Web Applications and other webmail solutions
- Remote workstation solutions like RDP and Citrix Virtual Apps
The Bad News
As beneficial as MFA is, I’m seeing a problem with its implementation.
Attackers can abuse additional login portals to discover valid credentials and compromise systems.
The primary issue: Companies aren’t using MFA across the board. For example, you may require MFA when logging into webmail, but not when users log in with VPN. If you end up overlooking less-common authentication endpoints, you are putting your company at risk.
It’s best to implement MFA company-wide, even if it requires more work and investment. Compromised credentials mean bigger issues for your company in the long run (stolen data and costly bills for expensive “clean-up” following a breach).
Half-hearted MFA: How it goes wrong
To help you better understand what’s at stake, I’ve outlined an example of what can happen when you don’t use multi-factor authentication across the board. Below, you’ll see an Outlook login protected with MFA — so far, so good.
To log in, users must enter their username and password along with a token, which seems safe. But an attacker looking at this Outlook web application sees the company exposes an Exchange ActiveSync endpoint in addition to the Outlook login page.
The attacker knows they can gain entry using brute-force attacks, and sometimes without triggering account lockouts or requiring MFA. Brute-force attacks work to guess a user’s password by assuming the use of common passwords such as Summer2020 or Password1.
Here’s a look from some of our continuous penetration testing, using credentials to log in to Exchange ActiveSync without MFA:
When an attacker successfully guesses the password, the password is used to read the contents of the user’s inbox. An attacker can then gain additional information to use in future attacks, such as VPN configuration files and shared accounts.
When attackers get their hands on credentials, your company is their oyster. They can do all kinds of damage: stolen credentials can be used to fuel more complex social engineering, exploit vulnerabilities that require authentication and to steal other users’ credentials.
8 tips for fixing MFA gaps
To prevent this from happening, I’ve outlined some steps you can take to make sure your company uses a MFA properly.
- Discover all external logins at your company. Ones that grant remote access take priority when implementing MFA and when disabling or implementing additional security controls.
- Choose an MFA solution you can implement across all of your high-risk assets.
- Disable any Exchange or OWA services you don’t use (IMAP, ActiveSync, etc.).
- When implementing MFA, force all users to enroll within a short timeframe. Accounts with incomplete (self) enrollment are at risk of attackers enrolling on their behalf.
- Audit all endpoints for misconfigured authentication.
- Implement additional security controls, if needed, to protect against brute-force attacks and username enumeration.
- Continuously audit these endpoints, using Continuous Penetration Testing, to ensure updated techniques can’t bypass MFA.
- Require users to connect to the organization's network prior to connecting to company resources.
Still have questions? Want to dive deeper?
Give us a call or email us at contact@sprocketsecurity.com
Download our free white paper, "Top-5 Ways Hackers Break Into Your Network" to go deeper, and get actionable steps your team can implement today.
Nicholas Anastasi
Sr. Penetration Tester
Nicholas Anastasi started his career in cybersecurity at Sprocket and hasn't looked back. Continuous Penetration Testing is all he knows and during his day to day he leads the penetration testing team, writes a ton of Python and works tirelessly to improve the CPT process. In his free time, Nicholas enjoys running, eating too much candy and developing on his homelab.
Nicholas and the rest of the team are dedicated to making sure our clients continuously maintain a strong security posture. If you are interested in talking with Nicholas about our services, reach out today!
Further Reading
Explore Related Content.
How to limit cleartext password storage and fix the issue in your organization
The key to our engagements often and unfortunately involve the discovery of credentials on internal network file shares. We’re going to show you how we find cleartext password storage problems and how to address them. read more →
Read moreContinuous Human & Automated Security
The Expert-Driven Offensive
Security Platform
Continuously monitor your attack surface with advanced change detection. Upon change, testers and systems perform security testing. You are alerted and assisted in remediation efforts all contained in a single security application, the Sprocket Platform.
Expert-Driven Offensive Security Platform
- Attack Surface Management
- Continuous Penetration Testing
- Adversary Simulations
