Significant Increase in MFA's Participation in Significant Assaults Revealed by New Study
In a recent report released by Cisco Talos, it was revealed that multi-factor authentication (MFA) was involved in nearly half of all security incidents encountered by their incident response teams in Q1 of the year.
The report highlights several common methods attackers use to bypass MFA, particularly within ransomware and targeted intrusion campaigns. One such method is uninstalling or disabling the MFA application on the victim’s machine using Windows Management Instrumentation Commands (WMIC), allowing attackers to evade MFA protections at the device level.
Attackers are also strategically targeting push notification attacks during pre-work hours, often between 8 and 9 a.m. Another tactic involves deleting security and PowerShell event logs to impair detection and forensic analysis, which aids in stealthily bypassing security controls including MFA alerts.
Legitimate remote management and remote desktop tools such as RDP (Remote Desktop Protocol), SimpleHelp (a legitimate Remote Monitoring and Management tool frequently exploited), and SSH are also used by attackers to gain access and move laterally within networks after bypassing MFA.
Leveraging dual-use or legitimate administrative tools helps attackers to evade alarms triggered by suspicious activity, which helps them to maintain access without triggering MFA defenses. Abusing remote session hijacking or leveraging stolen session tokens enables attackers to circumvent MFA by utilizing already authenticated sessions or credentials.
In 25% of these incidents, incident response specialists responded to fraudulent MFA push notifications sent by attackers. Nick Biasini, head of outreach at Cisco Talos, stated that a secure and effective implementation of MFA is crucial.
The report also notes that poorly configured MFA was a factor in two of the biggest attack campaigns in 2024: a ransomware attack against Change Healthcare and dozens of attacks against Snowflake customers. In these cases, impacted customers did not have MFA configured.
Basic MFA with SMS-based notifications is considered the least secure. Third-party contractor compromises are also being used by attackers to bypass MFA. Cisco Duo analyzed a dataset of 15,000 push-based attacks from June 2023 to May 2024.
The findings underscore that the effectiveness of MFA depends heavily on complementary security controls and user vigilance. While MFA technology is effective against automated attacks, sophisticated adversaries find ways to subvert it through social engineering, session hijacking, and disabling MFA mechanisms.
- To bypass multi-factor authentication (MFA) in ransomware attacks, cybercriminals are uninstalling or disabling MFA applications using Windows Management Instrumentation Commands (WMIC), bypassing MFA protections at the device level.
- Adequate cybersecurity practices are crucial, as revealed in a recent report by Cisco Talos, since the findings revealed that third-party contractor compromises are being used by attackers to bypass MFA.
- The effectiveness of MFA depends on complementary security controls and user vigilance, with the report highlighting that basic MFA with SMS-based notifications is considered the least secure, and sophisticated adversaries find ways to subvert it through social engineering, session hijacking, and disabling MFA mechanisms.
