Multi-Factor Authentication Bypasses: What You Need To Know

When it comes to a cyber security standpoint, how secure can you claim to be? Some organisations are on the ball, deploying state-of-the-art firewalls, EDR and constantly patching. However, others may have strategies that leave a lot to be desired.

And, whilst we won't spend another blog post hammering cyber security stats (we already have a detailed cyber security blog section here), we'd like to bring something to your attention.

The Rise of MFA Bypasses

You may have read about the recent Twilio hack, which led to the leakage of 2FA codes and further highlighted the threat of cyber criminals in 2022 and beyond.

The cyber security company, Resecurity, identified a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised on the Dark Web. 

In some sources, the alternative name is Moloch, which has some connection to a phishing kit developed by several notable underground actors who previously targeted financial institutions and e-commerce sectors.

Bypassing MFA

As an article from Resecurity states, EvilProxy actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication – proxyfying a victim’s session. Previously such methods have been seen in targeted campaigns of APT and cyberespionage groups.

These methods have been successfully productised in EvilProxy, highlighting the significance of growth in attacks against online services and MFA mechanisms.

At Fifosys, our engineers could replicate the bypass, meaning organisations must be mindful that MFA is far from a catch-all solution. 

EvilProxy

EvilProxy - and its MFA-bypassing capabilities should be news enough to worry anyone.

Based on Resecurity's ongoing investigation surrounding the result of attacks against multiple employees from Fortune 500 companies, they obtained substantial knowledge about EvilProxy, including its structure, modules, functions, and the network infrastructure used to conduct malicious activity. 

Early occurrences of EvilProxy have been initially identified in connection to attacks against Google and MSFT customers who have MFA enabled on their accounts – either with SMS or Application Token. 

EvilProxy is, for all intents and purposes, a new threat. The first mention of the attack was detected in early May 2022, when the actors running it released a demonstration video. In this video, they highlighted how EvilProxy could deliver advanced phishing links, whilst compromising consumer accounts.

Whilst that may sound like nothing more than a generic threat, they demonstrated the capabilities on accounts for services/vendors such as Apple, Facebook, Google, Dropbox, Instagram, Microsoft, Twitter and Yahoo.

Another notable headline to emerge from their findings is that EvilProxy also supports phishing attacks against Python Package Index (PyPi).

What is MFA?

Multi-factor authentication (MFA) is a cyber security strategy that uses more than one factor to authenticate a user. These factors can include but are not limited to a password and an access code. MFA uses these verification factors in combination or sequence.

The idea is that if an attacker can steal your password, they will also be required to compromise your second factor to gain access, strengthening the security of your account and making unauthorised access more difficult. 

However, not all users are comfortable with two-factor authentification schemes, and many industry analysts have suggested that this has led to declining adoption rates. 

Is MFA vulnerable? 

As alluded to earlier, MFA is far from bulletproof. Hackers can bypass security measures by using multiple login attempts before locking an account down for a suspected breach. 

McAfee recommends that a password policy combined with two-factor authentication is the best way to mitigate the risk of lost devices. According to the company, multi-factor authentication will be more secure than password-only authentication protocols in the long run as more sophisticated hacking techniques develop.

The Last Word

When it comes to cyber security, it's not an area you should venture into alone - nor do you have to.

At Fifosys, we're here 24/7/365 to support you through challenging times and ensure your safety.

We can work with you to develop a custom security solution designed with you in mind; reach out today to get your journey started.


Get in touch with the team at Fifosys

Previous
Previous

Don't let your Cloud Costs Get Sky High