Data breaches continue to plague organizations, with the majority originating from the theft of user credentials through phishing and smishing attacks. The results of such breaches can be catastrophic.
Armed with genuine credentials, bad actors can gain access to your account, business applications, data, email, and more. The era of cloud computing has only accentuated these threats.
In the ongoing arms race between bad actors and cybersecurity teams, organizations must remain vigilant, adaptive, and proactive in implementing advanced security measures to stay one step ahead of evolving threats.
Multi-factor authentication (MFA) has emerged as a vital defense mechanism. However, cybercriminals are not known for sitting on their laurels, and they continually devise new tactics to undermine the effectiveness of MFA.
One serious and emerging threat is the use of Adversary-in-the-Middle (AiTM) attacks. Here we look at why MFA is important and why organizations need to be aware of how it can be circumvented in the face of increasing AiTM attacks.
MFA has become one of the foundational layers of modern cyber security. It provides an essential element to prevent unauthorized access to sensitive information, hardware devices, and business applications.
The requirement of an additional factor beyond just a basic username and password is instrumental in substantially mitigating the risk of your account being compromised. Among the most common forms of MFA are:
The widespread adoption of MFA demonstrates its significance. A recent survey has shown that 50% of them now use MFA as part of their security stack.
This is despite many employees and customers considering MFA nothing more than a nuisance. Education is an important factor in redressing this bias.
While MFA certainly adds an essential security element, there is no such thing as absolute security, and if cybercriminals do manage to bypass MFA, they can do untold damage.
Unfortunately, they now have the tools in their arsenal to do just that. This makes it crucial for organizations to continually adapt and implement comprehensive security measures to counter these ever-evolving threats.
With more organizations turning to MFA to protect their systems, cybercriminals have reacted with a series of tactics to bypass MFA and gain access to sensitive information and business systems.
Among the common techniques being implemented to bypass MFA are:
To be clear, these represent only a few of the sophisticated methods being used to circumvent MFA. Others include biometric spoofing, credential stuffing, and data interception.
However, one threat is becoming increasingly prevalent. Adversary-in-the-Middle (AiTM) attacks are a burgeoning threat that organizations need to be aware of.
One key tactic cybercriminals use to bypass MFA security is AiTM attacks. This is a sophisticated method that, if care is not taken, can easily bypass MFA security.
Below is a description of how a typical AiTM works to bypass MFA.
1. Initial phishing or smishing attack: The attack is usually initiated by a phishing or smishing attack that sends malicious links via email or another communication channel.
2. Redirecting to a server: Rather than taking the victim to a fake login page, the attacker directs them to a server under his or her control. This acts as a reverse proxy and remains invisible to the user.
3. Login request forwarded to legitimate site: The attacker’s server transparently forwards the victim’s login request to the legitimate website. The user, unaware of anything out of the ordinary, enters their login credentials, potentially including any MFA codes. The attacker intercepts and records these.
4. Stealing the authentication cookie: When the target successfully logs in, the attacker’s server takes the authentication cookie that the real website made. This is a unique identifier that allows access to the compromised account.
5. The attacker gains unrestricted access: Once the cookie is acquired, it can be injected into a browser, which can then be used to grant the attacker unrestricted access to the compromised account without the need for further authentication.
It is important to note that these steps may vary slightly depending on the specific implementation and techniques employed by the attacker.
Organizations must remain vigilant and implement robust security measures to mitigate the risks associated with AiTM attacks. The importance of educating users about this threat cannot be overemphasized.
Recently, there have been multiple reports of successful AiTM attacks. Microsoft reported a recent attack that targeted over 10,000 organizations, and many of these were successful.
To compound matters further, attackers now have a wide range of tools that facilitate the easy launch of AiTM attacks. Amongst them are Modlishka, Necrobrowser, Evilginx2, and Evilproxy, among others.
AiTM attacks are just one way that cybercriminals are bypassing MFA security procedures. Organizations must take steps to nullify this emerging and rapidly evolving threat.
It is necessary to implement and support robust security measures that cover all user devices, including mobile devices, by educating users about the nature of threats.
These measures need to protect against phishing attacks across all communication platforms.Monitoring email channels is no longer enough.
Organizations need to deploy anti-phishing measures on all communication channels, including SMS, WhatsApp, Messenger, and any other communication channels used by staff.
Only by taking a comprehensive approach to education and vigilance can organizations effectively mitigate the risks associated with emerging threats like AiTM attacks.
The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …
INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…
Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…
A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…
Recent research has linked a series of cyberattacks to The Mask group, as one notable…
RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…