Multi-Factor Authentication: The Threat of Adversary-in-the-Middle Attacks

Data breaches continue to plague organizations, with the majority originating from the theft of user credentials through phishing and smishing attacks. The results of such breaches can be catastrophic.

Armed with genuine credentials, bad actors can gain access to your account, business applications, data, email, and more. The era of cloud computing has only accentuated these threats.

In the ongoing arms race between bad actors and cybersecurity teams, organizations must remain vigilant, adaptive, and proactive in implementing advanced security measures to stay one step ahead of evolving threats.

Multi-factor authentication (MFA) has emerged as a vital defense mechanism. However, cybercriminals are not known for sitting on their laurels, and they continually devise new tactics to undermine the effectiveness of MFA.

One serious and emerging threat is the use of Adversary-in-the-Middle (AiTM) attacks. Here we look at why MFA is important and why organizations need to be aware of how it can be circumvented in the face of increasing AiTM attacks.

The Importance of Multi-Factor Authentication

MFA has become one of the foundational layers of modern cyber security. It provides an essential element to prevent unauthorized access to sensitive information, hardware devices, and business applications.

The requirement of an additional factor beyond just a basic username and password is instrumental in substantially mitigating the risk of your account being compromised. Among the most common forms of MFA are:

• A one-time code sent to a trusted device
• Biometric input (fingerprint, facial recognition)
• Authenticator app or physical security device

The widespread adoption of MFA demonstrates its significance. A recent survey has shown that 50% of them now use MFA as part of their security stack.

This is despite many employees and customers considering MFA nothing more than a nuisance. Education is an important factor in redressing this bias.

While MFA certainly adds an essential security element, there is no such thing as absolute security, and if cybercriminals do manage to bypass MFA, they can do untold damage.

Unfortunately, they now have the tools in their arsenal to do just that. This makes it crucial for organizations to continually adapt and implement comprehensive security measures to counter these ever-evolving threats.

Emerging Tactics Being Used to Undermine Multi-Factor Authentication

With more organizations turning to MFA to protect their systems, cybercriminals have reacted with a series of tactics to bypass MFA and gain access to sensitive information and business systems.

Among the common techniques being implemented to bypass MFA are:

• SIM card swapping: Attackers perform SIM card swapping, redirecting one-time use passwords sent over SMS to a cloned SIM card, granting unauthorized access to accounts protected by MFA.
• Mobile malware: Cybercriminals employ mobile malware to capture authentication codes, compromising MFA-protected accounts and bypassing the additional security layer.
• Man-in-the-browser (MitB): With MitB attacks, malicious software infects a user’s browser, allowing cybercriminals to intercept and manipulate MFA prompts, collecting authentication information without the user’s knowledge.
• Social engineering: Cybercriminals use psychological manipulation to trick individuals into revealing their MFA credentials or authentication codes, circumventing the intended security measures.

To be clear, these represent only a few of the sophisticated methods being used to circumvent MFA. Others include biometric spoofing, credential stuffing, and data interception.

However, one threat is becoming increasingly prevalent. Adversary-in-the-Middle (AiTM) attacks are a burgeoning threat that organizations need to be aware of.

The Threat Posed by AiTM Attacks

One key tactic cybercriminals use to bypass MFA security is AiTM attacks. This is a sophisticated method that, if care is not taken, can easily bypass MFA security.

Below is a description of how a typical AiTM works to bypass MFA.

1. Initial phishing or smishing attack: The attack is usually initiated by a phishing or smishing attack that sends malicious links via email or another communication channel.

2. Redirecting to a server: Rather than taking the victim to a fake login page, the attacker directs them to a server under his or her control. This acts as a reverse proxy and remains invisible to the user.

3. Login request forwarded to legitimate site: The attacker’s server transparently forwards the victim’s login request to the legitimate website. The user, unaware of anything out of the ordinary, enters their login credentials, potentially including any MFA codes. The attacker intercepts and records these.

4. Stealing the authentication cookie: When the target successfully logs in, the attacker’s server takes the authentication cookie that the real website made. This is a unique identifier that allows access to the compromised account.

5. The attacker gains unrestricted access: Once the cookie is acquired, it can be injected into a browser, which can then be used to grant the attacker unrestricted access to the compromised account without the need for further authentication.

It is important to note that these steps may vary slightly depending on the specific implementation and techniques employed by the attacker.

Organizations must remain vigilant and implement robust security measures to mitigate the risks associated with AiTM attacks. The importance of educating users about this threat cannot be overemphasized.

Recently, there have been multiple reports of successful AiTM attacks. Microsoft reported a recent attack that targeted over 10,000 organizations, and many of these were successful.

To compound matters further, attackers now have a wide range of tools that facilitate the easy launch of AiTM attacks. Amongst them are Modlishka, Necrobrowser, Evilginx2, and Evilproxy, among others.

Education and Vigilance

AiTM attacks are just one way that cybercriminals are bypassing MFA security procedures. Organizations must take steps to nullify this emerging and rapidly evolving threat.

It is necessary to implement and support robust security measures that cover all user devices, including mobile devices, by educating users about the nature of threats.

These measures need to protect against phishing attacks across all communication platforms.Monitoring email channels is no longer enough.

Organizations need to deploy anti-phishing measures on all communication channels, including SMS, WhatsApp, Messenger, and any other communication channels used by staff.

Only by taking a comprehensive approach to education and vigilance can organizations effectively mitigate the risks associated with emerging threats like AiTM attacks.