Security experts and government bodies have strongly advocated for companies adopting multifactor authentication (MFA) in recent years. But despite the increased adoption of MFA, security defenses don’t seem to be bolstered against rampant ransomware actors. In fact, recent findings suggest an increase in ransomware losses.
So, what’s going on – are MFA failures to blame for this trend? This article takes a closer look at rising ransomware losses and whether MFA remains the best way to authenticate users. You’ll also get pointers on avoiding MFA failures.
To start with the numbers, Nuspire identified an uptick in ransomware publications in Q1 2024 compared to the previous quarter (see this threat report for more details). This increase seems surprising in light of higher MFA adoption—in a recent survey of IT professionals, 83% responded that employees at their company had to use MFA for authentication.
Before closely examining MFA failures as a related or even primary cause, it’s worth a brief look at some possible factors at play here:
Leaving aside the potential for apps or services MFA doesn’t cover, what are some ways MFA failures occur? Here are three ways threat actors might get around MFA implementation.
Session hijacking
Session hijacking happens when a hacker takes over a user’s active session with a web application after the user has successfully authenticated. This allows the attacker to bypass MFA and gain unauthorized access. Once authenticated, the server generates a session token (often in the form of a cookie) that the hacker then intercepts or steals. Methods for doing this include malware, phishing links or packet sniffing.
Social engineering
The umbrella term ‘social engineering’ captures a variety of techniques available to bypass MFA. One technique that has gained a lot of traction among hackers in recent years is prompt bombing (or MFA fatigue attacks), which targets the push notification method often used in MFA implementations.
Prompt bombing attacks start by getting a correct set of credentials and then repeatedly sending MFA prompts to the victim’s device. These prompts are push notifications that ask the user to confirm or deny an action, such as logging into their account.
In their frustration, confusion or simply in an attempt to stop the incessant notifications, the user might accidentally or deliberately approve one of the authentication requests. This approval grants the attacker access to the system. Fake login pages, SIM swaps and vishing calls are other ways to bypass MFA with social engineering.
Attacking MFA service providers
In today’s complex IT ecosystems, the actual providers of MFA services are not immune to issues like supply chain attacks or direct security compromises. In 2022, one of the technology’s main providers, Okta, suffered a major compromise after a third-party support engineer’s workstation was compromised. That particular incident led to outsider access to 366 Okta customers’ tenants. In cases like these, hackers attack MFA providers directly and can try to reset passwords or change MFA configurations to get into user accounts.
It’s not that MFA is inherently flawed, but it’s also not guaranteed to keep opportunistic hackers out of your environment. Still, MFA is a top option for authentication. Here’s what you can do to help mitigate the potential for MFA failures:
MFA improves security, but it isn’t infallible
Switching on MFA for all apps and services at your organization remains a best practice. The most important thing to bear in mind is that while this strengthens security, MFA, like most security measures, is not infallible.
Additional security measures like EDR and MDR provide continuous monitoring and analysis of data on endpoints. You get real-time threat detection, automated responses to security incidents and detailed forensic capabilities. This level of surveillance helps you identify anomalies and potential breaches swiftly and minimizes the potential damage from attacks that have gotten around MDR or other initial defense barriers.
Learn how continuous monitoring and response can shield your network from threats that slip past MFA defenses.
The post MFA Failures and Surging Ransomware Losses: What’s Going On? appeared first on Nuspire.
*** This is a Security Bloggers Network syndicated blog from Nuspire authored by Team Nuspire. Read the original post at: https://www.nuspire.com/blog/mfa-failures-and-surging-ransomware-losses-whats-going-on/