Monday, September 25, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

How an email attack exploited Microsoft’s multi-factor authentication

Researcher by Researcher
August 26, 2022
in Cybersecurity
0
How an email attack exploited Microsoft’s multi-factor authentication
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


Mitiga says that MFA, even if improperly configured, is no panacea for preventing attackers from abusing compromised credentials.

email security.
Image: Getty Images/iStockphoto/Balefire9

Must-read security coverage

Multi-factor authentication (MFA) is often cited as one of the best security methods available to secure sensitive accounts and credentials. Even if the password is leaked or stolen, the hackers can’t use it to log into the account without that second form of authentication. But to be effective, MFA must be properly and securely configured; otherwise, a savvy cyber criminal can find ways to circumvent it.

A report released Wednesday, August 24, by security advisory firm Mitiga looks at a recent business email compromise campaign against an organization that uses Microsoft 365. The attackers were able to access sensitive information by exploiting weak default configurations in Microsoft’s multi-factor authentication, according to Mitiga. Though the people in the targeted organization were able to prevent any fraudulent activity, the incident does serve as a warning about the improper setup of MFA.

In this attack, cyber criminals gained unauthorized access to the Microsoft 365 account of an executive in an organization from multiple locations, including Singapore; Dubai; and San Jose, California.

The attackers were able to compromise the user’s account and mailbox through an adversary-in-the-middle (AiTM) tactic. With an AiTM trick, an adversary creates a proxy server between the victim and the website to be accessed, allowing them to capture the target’s passwords and browser session cookies.

To protect the victim’s account, the organization had implemented Microsoft MFA through the Microsoft Authenticator app, which should have stopped any use of stolen credentials. Upon further analysis, Mitiga found that a second Authenticator app had been set up without the victim’s knowledge, providing the attackers with the means to continue to use the breached account.

Microsoft MFA doesn’t always require a second form of authentication

The problem, according to Mitiga, lies in the weak default settings for Microsoft MFA. This technology works by deciding when to require that second form of authentication, such as in cases when someone tries to access resources from a different IP address, requests elevated administrator privileges or attempts to retrieve sensitive data.

Analyzing the token in an active login session, Microsoft MFA determines if the session had previously been authorized. If so, the second form of authentication is not required. But this decision is solely made by the Microsoft authentication engine; customers are unable to configure it themselves, according to Mitiga.

The report cited two examples in which a decision by Microsoft MFA not to require the second form of authentication can be problematic.

One example involves the Privileged Identity Management (PIM) feature, through which administrative users can work with non-administrative rights and then use the PIM tool to elevate their permissions if and when necessary. In this case, an attacker could use PIM to elevate a compromised non-admin account into one with admin privileges.

In another example, Microsoft doesn’t require a second form of authentication when accessing and changing user authentication methods in the Security Info section of the account profile. A user who was previously authorized in a session can add a new Authenticator app without being challenged. This is how the attacker in the incident cited by Mitiga was able to continue to use the compromised account.

“Given the accelerated growth of AiTM attacks (even without the persistency allowed by an attacker adding a new, compromised, authentication method), it is clear that we can no longer rely on multi-factor authentication as our main line of defense against identity attacks,” Mitiga said in the report. “We strongly recommend setting up another layer of defense, in the form of a third factor, tied to a physical device or to the employee’s authorized laptop and phone.

“Microsoft 365 offers this as part of Conditional Access by adding a requirement to authenticate via an enrolled and compliant device only, which would completely prevent AiTM attacks.”

Tips for preventing AiTM attacks that exploit MFA

In a statement sent to TechRepublic, a Microsoft spokesperson also offered recommendations on how to stop AiTM attacks that can exploit multi-factor authentication.

“AitM phishing is important to be aware of, and we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files or accepting file transfers,” the spokesperson said. “We recommend that customers use Azure AD Conditional Access to set up specific rules for allowed risk levels, locations, device compliance and other requirements to prevent registration of new creds by adversaries.

“Where possible, we also recommend using phishing-resistant credentials like Windows Hello or FIDO. To help protect customers against this type of attack, Authenticator offers context information to warn the user that their location isn’t familiar or that the app isn’t the one they’re expecting.”

Further advice comes from Aaron Turner, CTO for SaaS Protect at cybersecurity firm Vectra. Noting that the targeted organization described by Mitiga was using a relatively weak default configuration in Microsoft 365, Turner asserted that Microsoft does provide a solution to stop AiTM attacks, but it’s one that must be hardened.

Toward that end, organizations should follow these three guidelines:

  • Make sure the Self-Service Password Reset requires two factors of authentication to reset account passwords.
  • Allow Microsoft Authenticator to be installed only through a Mobile Application Management or Mobile Device Management control set through Microsoft Intune.
  • Set up Conditional Access policies to only allow Microsoft Authenticator to work from managed applications or from managed devices.

“This combination of controls would have protected the victim organization in this case,” Turner added. “We have observed that even these controls can be bypassed by nation-state actors, so investing in appropriate detection and response capabilities is critical to reduce the risk opportunity created by sophisticated attackers.”



Source link

Related articles

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
Tags: attackAuthenticationEmailexploitedMicrosoftsmultifactor
Share76Tweet47

Related Posts

Sentra Raises $30 Million for DSPM Technology

Northern Ireland’s Top Police Officer Apologizes for ‘Industrial Scale’ Data Breach

August 13, 2023
0

Northern Ireland’s top police officer apologized Thursday for what he described as an “industrial scale” data breach in which the...

Minimizing Risk Through Proactive Apple Device Management: Addigy

Minimizing Risk Through Proactive Apple Device Management: Addigy

August 12, 2023
0

Enterprise IT teams are struggling to cope with three major forces of change: the evolving regulatory environment, a globally dispersed...

Decipher Podcast: Katelyn Bowden and TC Johnson

Decipher Podcast: Katelyn Bowden and TC Johnson

August 12, 2023
0

Veilid main site: https://veilid.com/ Cult of the Dead Cow site: https://cultdeadcow.com/ Source link

In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack 

In Other News: macOS Security Reports, Keyboard Spying, VPN Vulnerabilities

August 12, 2023
0

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under...

Used Correctly, Generative AI is a Boon for Cybersecurity

Used Correctly, Generative AI is a Boon for Cybersecurity

August 12, 2023
0

Adobe stock, by Busra At the Black Hat kickoff keynote on Wednesday, Jeff Moss (AKA Dark Tangent), the founder of...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
Microsoft to Block Macros by Default in Office Apps

Qakbot Email Thread Hijacking Attacks Drop Multiple Payloads

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
‘Horse Gone Barn Bolted’ is Strong Password – Krebs on Security

‘Horse Gone Barn Bolted’ is Strong Password – Krebs on Security

September 23, 2023
SumUp Launches 7am Payouts; Offering UK Merchants Optimal Financial Flexibility

SumUp Launches 7am Payouts; Offering UK Merchants Optimal Financial Flexibility

September 23, 2023
Stealth Falcon preying over Middle Eastern skies with Deadglyph

Stealth Falcon preying over Middle Eastern skies with Deadglyph

September 23, 2023
Will you give X your biometric data? – Week in security with Tony Anscombe

ESET’s cutting-edge threat research at LABScon – Week in security with Tony Anscombe

September 23, 2023

Recent Posts

‘Horse Gone Barn Bolted’ is Strong Password – Krebs on Security

‘Horse Gone Barn Bolted’ is Strong Password – Krebs on Security

September 23, 2023
SumUp Launches 7am Payouts; Offering UK Merchants Optimal Financial Flexibility

SumUp Launches 7am Payouts; Offering UK Merchants Optimal Financial Flexibility

September 23, 2023
Stealth Falcon preying over Middle Eastern skies with Deadglyph

Stealth Falcon preying over Middle Eastern skies with Deadglyph

September 23, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cyber Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches platform Ransomware RoundUp security Software Stories TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved