This exploit is used to bypass Microsoft’s multi-factor authentication

Cybercriminals are exploiting dormant Microsoft accounts to bypass multi-factor authentication and gain access to cloud services and networks, researchers say.

The technique was detailed by cybersecurity researchers at Mandiant, who claim the exploit is used in APT29’s hacking campaigns – also known as Cozy Bear – a hacking and spying operation believed to be usually that it is linked to the Russian Foreign Intelligence Service (SVR). Other offensive cyber threat groups would use the same tactics.

Multi-factor authentication is a useful tool for organizations looking to prevent account takeovers and cyberattacks against cloud services and other parts of the network. However, while it is extremely effective in defending against intrusions, it is not infallible and cyberattackers find ways to circumvent it.

According to Mandiant, cybercriminals are exploiting the self-registration process to apply multi-factor authentication to Microsoft Azure Active Directory and other platforms to take control of Microsoft 365 and other accounts.

Configure multi-factor authentication

When organizations first roll out multi-factor authentication to users, many platforms allow users to enroll their multi-factor authentication device – typically their smartphone – the next time they log in. This process is often followed because it is the most efficient way to provide as many users as possible with MFA authentication to secure their accounts.

But as the researchers point out, if there’s no additional verification around the MFA sign-up process, anyone who knows an account’s username and password can apply to it. multi-factor authentication, as long as they are the first person to do so – and hackers use this ability to gain access to accounts.

In a case detailed by Mandiant, attackers attributed to APT29 gained access to a list of undisclosed mailboxes they obtained through unknown means and managed to guess the password for an account that had been set up , but never used.

The attacker, tricked by Azure Active Directory into setting up multi-factor authentication, not only had control of the account, but was also able to tie multi-factor authentication to a device he owned, leveraging multi-factor authentication to give him access to the account instead of preventing it.

From there, the attackers were able to use the account to access the victim organization’s VPN infrastructure. Researchers are not disclosing the name of the victim or the purpose of this attack.

The incident shows that, even with multi-factor authentication in place, it is possible for cybercriminals to bypass protective features to access and exploit dormant accounts – something that could go unnoticed for some time.

Verify user legitimacy

To prevent this, organizations are recommended to implement additional safeguards to verify that the user registering the account is legitimate.

“Organizations can restrict MFA device registration to only trusted locations, such as the internal network, or to trusted devices. Organizations can also choose to require enrollment of MFA devices,” said Douglas Bienstock, incident response manager at Mandiant.

“To avoid the chicken-and-egg situation this creates, help desk employees can issue temporary access passes to employees when they first join or if they lose their MFA device. The pass can be used for a limited time to log in, bypass MFA and register a new MFA device,” he adds.

Microsoft recently introduced a feature that allows organizations to apply controls around MFA device registration, which can help prevent cybercriminals from gaining access to accounts. ZDNET has contacted Microsoft for comment.

Since dormant accounts are the main targets of this particular campaign, it could also be useful for information security teams to know which accounts have never been used, or even remove them if they are of no use. It’s also worth making sure these accounts aren’t secured with default passwords, which can easily be discovered by cyber attackers.

Source: ZDNet.com

Leave a Comment