Microsoft: Hackers are using this 'worrying' tactic to dodge multi-factor authentication

Microsoft: Hackers are using this ‘worrying’ tactic to dodge multi-factor authentication

Hands typing on a computer with other electronic devices on the table

Microsoft has outlined several mitigations to protect against multi-factor authentication attacks that will unfortunately make life harder for your remote workers.

Three years ago, multi-factor authentication (MFA) attacks were so rare that Microsoft didn’t have decent statistics on them, largely because few organizations had MFA enabled.

But with the rise in the use of MFA as password attacks become more common, Microsoft has seen an increase in the number of attackers using token theft in their attempts to circumvent MFA.

In these attacks, the attacker compromises a token issued to someone who has already completed MFA authentication and replays that token to access it from another device. Tokens are at the heart of OAuth 2.0 identity platforms, including Azure Active Directory (AD), which aim to make authentication simpler and faster for users, but in a way that remains resistant to attack. by password.

Also: Cybersecurity Jobs: Five Ways to Help You Build Your Career

Additionally, Microsoft warns that token theft is dangerous because it does not require high technical skills, detection is difficult, and since the technique has only recently seen an increase, few organizations have measures in place. attenuation.

“Recently, Microsoft’s Detection and Response Team (DART) has seen an increase in attackers using token theft for this purpose,” Microsoft says in a blog post.

“By compromising and replaying a token issued to an identity that has already completed multi-factor authentication, the threat actor satisfies MFA validation and access is granted to organizational resources accordingly. This poses a tactic concerning for defenders because the expertise needed to compromise a token is very low, difficult to detect, and few organizations have token theft mitigation measures in their incident response plan.”

When accessing web applications protected by Azure AD, the user must present a valid token, which they can obtain after logging into Azure AD using their credentials. Administrators can set a policy to require MFA to log into an account from a browser. The token issued to the user is presented to the web application, which validates the token and opens access.

“When the user is phished, the malicious infrastructure captures both the user’s credentials and the token,” Microsoft explains.

If the credentials and token are stolen, the attacker can use them for many attacks. Microsoft highlights business email compromise, which is the leading cause of financial loss from cybercrime today.

Also: Spending on technology will increase next year. And that old favorite is still a top priority

Microsoft also warns against “pass-the-cookie” attacks, where an attacker compromises a device and extracts browser cookies that are created after authenticating to Azure AD from a browser. The attacker forwards the cookie to another browser on another system to bypass security checks.

“Users who access corporate resources on personal devices are at particular risk. Personal devices often have weaker security controls than corporate-managed devices, and IT personnel lack visibility into these devices to determine compromise,” Microsoft notes. This is a higher risk for remote workers who use personal devices.

To counter the threat of token theft attacks on MFA, Microsoft recommends shortening session and token lifetimes, although this comes at a convenience cost to the user. The mitigations include:

  • Reducing session lifetime increases the number of times a user is required to re-authenticate
  • Reducing the lifetime of a token forces threat actors to increase the frequency of token theft attempts
  • Microsoft recommends implementing Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices

Microsoft also recommends implementing FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for users.

Users with high-level privileges, such as the global domain administrator, must have a separate cloud-only identity. This will help reduce the attack surface from on-premises to cloud if an attacker compromises on-premises systems. These identities should not be associated with a mailbox, Microsoft said.

“We recognize that while it may be advisable for organizations to apply location, device compliance, and session lifetime controls to all applications, this is not always practical,” Microsoft notes.

#Microsoft #Hackers #worrying #tactic #dodge #multifactor #authentication

Leave a Comment

Your email address will not be published. Required fields are marked *