Multi-Factor Authentication

Information

• Name: Multi-Factor Authentication

• ID: T1556.006

• Tactics: TA0006, TA0005, TA0003

• Technique: T1556

Introduction

Multi-Factor Authentication (MFA) represents an additional security layer designed to verify user identity by requiring multiple pieces of evidence (factors) prior to granting access. Within the MITRE ATT&CK framework, sub-technique T1556.006 specifically addresses adversary techniques aimed at compromising, bypassing, or otherwise manipulating MFA mechanisms. Attackers targeting MFA seek to circumvent authentication protections to gain unauthorized access to sensitive systems, resources, or data.

Deep Dive Into Technique

Attackers utilize various technical methods to manipulate or bypass MFA protections, including:

• MFA Prompt Bombing (MFA Fatigue): Attackers repeatedly trigger MFA notifications to users, hoping the victim will eventually approve the access request out of frustration or confusion.

• SIM Swapping Attacks: Attackers deceive mobile carriers into transferring a victim's phone number to a SIM card they control, allowing interception of SMS-based MFA codes.

• Social Engineering Attacks: Attackers impersonate trusted entities to trick users into sharing MFA codes or approving fraudulent MFA requests.

• Session Hijacking: Attackers steal authenticated session cookies or tokens, bypassing the need to perform MFA entirely.

• Man-in-the-Middle (MitM) Attacks: Attackers intercept and relay communications between users and authentication servers, capturing MFA tokens or session cookies.

• Exploiting Misconfigured MFA: Attackers exploit improperly configured MFA implementations, such as fallback authentication methods or incorrectly set up MFA bypass rules.

Real-world procedures often involve detailed reconnaissance and targeted phishing campaigns to gather user credentials and MFA information, followed by direct exploitation of identified vulnerabilities or weaknesses in MFA implementations.

When this Technique is Usually Used

Attackers commonly leverage MFA bypass techniques during various stages of an attack lifecycle, including:

• Initial Access Stage:

  • Phishing campaigns targeting credentials and MFA codes.

  • SIM swapping to intercept SMS-based MFA.

• Persistence Stage:

  • Session hijacking to maintain persistent access without re-authentication.

  • MFA prompt bombing to trick users into providing persistent access.

• Privilege Escalation and Credential Access:

  • Exploiting poorly configured MFA systems to escalate privileges or access sensitive resources.

• Lateral Movement Stage:

  • Using compromised MFA credentials to authenticate to other systems or cloud resources within the victim's environment.

• Exfiltration Stage:

  • Leveraging compromised MFA credentials or sessions to access sensitive data repositories and perform data exfiltration.

How this Technique is Usually Detected

Detection strategies for MFA bypass techniques include:

• Monitoring MFA Logs and Events:

  • Analyzing authentication logs for suspicious or repeated MFA requests.

  • Identifying unusual authentication patterns or geographically improbable login attempts.

• Behavioral Analytics and Anomaly Detection:

  • Employing User and Entity Behavior Analytics (UEBA) tools to detect anomalous user behavior, such as unexpected login times, locations, or IP addresses.

• Session Monitoring and Analysis:

  • Monitoring for session reuse or simultaneous session initiation from multiple locations.

  • Identifying session cookies or tokens used from unexpected IP addresses or devices.

• Endpoint Detection and Response (EDR) Solutions:

  • Identifying malicious software or scripts potentially used to steal MFA tokens or session cookies.

• Network Traffic Analysis:

  • Detecting man-in-the-middle attacks by identifying unusual network traffic patterns or suspicious TLS certificates.

Indicators of Compromise (IoCs) specific to MFA bypass include:

• Multiple failed MFA attempts followed by successful authentication from unexpected locations.

• Sudden SIM card changes or mobile carrier activity without user authorization.

• Unusual login patterns indicating potential session hijacking or stolen cookies.

• Repeated MFA prompts sent to users in short intervals (indicative of MFA fatigue attacks).

Why it is Important to Detect This Technique

Early detection of MFA bypass attempts is critical due to severe potential impacts, including:

• Unauthorized Access: Attackers can gain unauthorized access to sensitive corporate resources, confidential data, or privileged accounts.

• Data Breach and Exfiltration: Successful MFA bypass can lead directly to data theft, intellectual property loss, or exposure of sensitive customer information.

• Privilege Escalation and Lateral Movement: Attackers may escalate privileges or move laterally within a network, significantly increasing the scope and impact of compromise.

• Reputation Damage: Organizations suffering MFA-related breaches face reputational damage, loss of customer trust, and potential regulatory penalties.

• Operational Disruption: MFA bypass attacks can disrupt normal operations, increase incident response costs, and negatively impact business continuity.

• Compliance Violations: Failure to protect MFA systems adequately can result in compliance violations, fines, and legal consequences.

Examples

Real-world examples illustrating MFA bypass techniques include:

• Uber MFA Fatigue Attack (2022):

  • Attack Scenario: Attacker repeatedly sent MFA push notifications to an Uber employee, eventually convincing them to accept the request.

  • Tools and Methods: MFA prompt bombing, social engineering.

  • Impact: Unauthorized access to internal systems, data exposure, significant reputational damage.

• Reddit Employee Account Compromise (2018):

  • Attack Scenario: Attackers performed a SIM-swapping attack on Reddit employees to intercept SMS-based MFA tokens.

  • Tools and Methods: SIM swapping, SMS interception.

  • Impact: Compromise of employee accounts, access to internal data, user data exposure.

• Twilio SMS Phishing Attack (2022):

  • Attack Scenario: Attackers used targeted phishing messages to trick Twilio employees into providing their MFA codes.

  • Tools and Methods: SMS phishing, credential harvesting, social engineering.

  • Impact: Unauthorized access to internal systems, compromise of customer data, downstream impacts on dependent services.

• Microsoft 365 Session Hijacking (Various incidents):

  • Attack Scenario: Attackers stole session cookies or tokens from compromised endpoints, bypassing MFA entirely.

  • Tools and Methods: Session cookie theft, malware deployment, credential extraction tools.

  • Impact: Unauthorized access to sensitive emails, documents, and other cloud resources.

These examples emphasize the critical importance of robust MFA implementations, user awareness training, and proactive monitoring to mitigate the risk of MFA bypass attacks.