Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques
Over the past few years, two-factor authentication or multi factor authentication has become highly popular and has been considered the best way to protect your personal and business accounts. This paved the way to wider adoption across all online accounts from corporate to social media profiles. When there is multifactor authentication in place it means it is no longer enough for the attackers to steal credentials or brute force. If they don’t possess the multi-factor access token or code of the user they will still not be able to gain entry into their accounts. But with years going on, attackers are making attempts to curb the second authentication method with the following methods.
Recent zero-day vulnerability in Pulse Secure VPN
The zero-day code vulnerability was exploited extensively along with Pulse Secure vulnerabilities, which is one of the initial vectors in multi-factor attacks. More than 12 malware families are said to be associated with an attack against the vulnerabilities in pulse secure. The malware was connected to three threat actors, with attacks housed in organizations in the U.S. and Europe. The UNC2630 activity exposed by FireEye showed that successful exploitation of this vulnerability in the VPN software paved the way for attackers to take over shared objects with malicious code and to disrupt credentials and bypass authentication flows, including 2FA requirements.
If an attacker finds a way to pass the VPN software - through such a vulnerability - it eliminates the need for them to gain anything more in the line of MFA.
Microsoft Exchange Server attacks
On March 2, on the identification of four zero-day vulnerabilities in the Microsoft Exchange Server, Microsoft launched emergency patches to avoid the vulnerability that was actively exploited by cyber-criminals in the wild. By the time Microsoft launched the patches, it became apparent that multiple threat actors had found their way in using these vulnerabilities. The number of threats increased rapidly once the presence of vulnerabilities came to the knowledge of the public.
Two of the vulnerabilities were named CVE-2021-26855 and CVE-2021-27065, and the technique used to combine the codes for exploitation gained the name “ProxyLogon”. Once these vulnerabilities are exploited successfully, it allows the attacker to launch arbitrary code on vulnerable Exchange Servers, and allows them to gain access to the system persistently, and also access to files and mailboxes stored on the server. It also provides the attackers access credentials on the system.
Successful exploitation of the vulnerabilities in the server also allows attackers to bypass trust and identity established over years in a vulnerable network. This provides the attackers extreme access to infected networks. This provides the attacker access to potentially highly sensitive information related to the victim’s organization without the requirement to bypass any multi-factor authentication system like 2FA. In various scenarios, the threat actors using these vulnerabilities were highly observed in stealing emails from the inboxes
The SolarWinds attacks saw the light in December 2020, and it has made the headlines since then. It saw the light with the U.S. recently announcing that it would implement strict sanctions against Russia to provide an apt response to SolarWinds breach, and also various other cyber-attacks. The prime aim of the SolarWinds attackers was to steal information, and compromise email.
Various multi-factor breaches are starting to appear with their extensive use. Though it is in the starting stage, it is better to select the best 2FA service providers.