Major Foreign Affairs involvement surge uncovered in significant assaults, according to study findings
In a recent report, Cisco Talos has highlighted the growing concern of attackers bypassing multifactor authentication (MFA) in various security incidents. According to the firm, MFA was involved in nearly half of all security incidents encountered by their incident response teams in Q1 of the year.
The research reveals that attackers commonly bypass MFA by using several methods. One such method is uninstalling or disabling MFA applications on victim machines via Windows Management Instrumentation Commands (WMIC), as seen in the Chaos ransomware group's attacks. They also delete relevant security logs to avoid detection.
Another favored method is session hijacking. Attackers steal authentication tokens (session cookies) through malicious JavaScript, infostealers, or man-in-the-middle attacks, effectively gaining full access without needing to pass MFA prompts. Cisco's Duo Passport solution was created to combat this growing vector, where 60% of incident response cases involved identity-related attacks and session theft was a top technique.
Nick Biasini, head of outreach at Cisco Talos, emphasized the importance of making MFA secure and effective. In an ideal situation, organizations would implement MFA using an app-based push with a challenge question. However, basic MFA with SMS-based notification is the least secure, according to Biasini.
The report also sheds light on two significant attack campaigns in 2024. Poorly configured MFA was a factor in the ransomware attack against Change Healthcare and multiple attacks against Snowflake customers, where impacted customers did not have MFA configured.
Moreover, corporate stakeholders are increasingly interested in understanding the risk calculus of their technology stacks, with the question "Are we a target?" being a lingering concern. Attackers are targeting the timing of push notification attacks for pre-work hours, often between 8 and 9 a.m.
Social engineering techniques against IT departments are also being used by attackers to bypass MFA. In 20% of Cisco Talos engagements, users did not properly implement MFA, and in 25% of cases, incident response specialists responded to fraudulent MFA push notifications sent by attackers.
These findings underscore the need for organizations to implement robust MFA and additional protections against credential theft and session hijacking to bolster their network defenses.
[1] Cisco Talos Research: Chaos Ransomware Group Uninstalls MFA to Bypass Authentication Protections (link) [3] Cisco Duo Passport: Defending Against Session Theft (link)
- The Chaos ransomware group, as revealed in Cisco Talos' research, bypasses multifactor authentication (MFA) by uninstalling or disabling MFA applications on victim machines, a method that involves using Windows Management Instrumentation Commands (WMIC).
- Effective network defenses can be bolstered by implementing robust multifactor authentication (MFA) and additional protections against credential theft and session hijacking, as emphasized by Cisco Talos in their finding that attackers frequently bypass MFA using techniques like session hijacking and social engineering.
