An interesting way to bypass multi-factor authentication (MFA) was recently announced by Bleeping Computer. This particular attack method requires a potential victim to be tricked into downloading a malicious executable (not so hard unfortunately), and the resulting rogue code then uses Microsoft Edge’s WebView2 control to essential create a rogue web page which can mimic any other web page, except with new malicious coding inserted.
As the author of the Wiley book, “Hacking Multifactor Authentication,” I am obsessively interested in any new MFA hacking technique. This is definitely a new method and I am glad researchers shared it. Here is how it works:
- User is somehow tricked into downloading malicious content
- Malicious content uses Microsoft Edge’s WebView2 control to create a new, malicious, web instance mimicking an existing legitimate web instance, including cookies, passwords, etc.
- The new malicious web instance can further socially engineer the user into revealing more confidential information, take over the user’s legitimate web instance, steal the user’s logon credentials, steal the user’s legitimate web instance access control token, and more.
The cybersecurity sky is the limit!
There is even a readily available related attack tool, from which most of the recent security conversations were generated.
But here is something to keep in mind, anytime an endpoint is compromised, it is essentially game over for any defense. Once an endpoint has been compromised, it is not the user’s endpoint anymore. It might not even be the same operating system. Microsoft unofficially stated the obvious over two decades ago, in early 2000, as the first law of its 10 Immutable Laws of Security: Law #1: If a bad guy can persuade you to run his program on your computer, it is not your computer anymore.
Truth. And using MFA does not change this. At the very least, a malicious hacker or malware program compromising a user’s endpoint can wait until the user accesses their MFA-protected resource and then execute malicious commands as if they were the end user. This sort of MFA bypass technique has been used at least since the late 1990s. In those early attacks, malware called bancos trojans (bancos means “banks” in Portuguese and Spanish, because these regions are where they first originated) compromised a user’s endpoint, waited until the user logged onto their bank, regardless of how it was done (MFA involved or not) and then it executed a second, “hidden”, browser session that stole all the user’s money. The user might be simply checking their bank balance, paying a bill, or transferring money to someone, but in the background, the malware program was robbing them blind.
Banking trojans have been used to steal billions of dollars from people and are among the most popular ways people’s money is stolen. A large percentage of today’s malware automates bypassing MFA and stealing people’s money, including the example discuss here.
However, there are many other ways to manipulate a user or admin’s session to perform malicious actions on a compromised endpoint beyond banking trojans. These include:
- Start a second, hidden, desktop session (most popular operating systems support this)
- Steal access control tokens to authenticated web sessions
- Execute keystrokes to mimic what a user could otherwise type in themselves, but instead with malicious intent
- Intercept and maliciously modify intended keystrokes and commands between the time the user typed or selected them and what the involved web instance host receives
- Modify the involved operating system or applications to perform malicious actions or to allow malicious control or access
Essentially, as Microsoft first stated decades ago, once an endpoint is compromised, it is game over, anything is possible.
Solution
The only 100% effective solution is to prevent malware from being executed in the first place. Every defender needs to implement the best defense-in-depth layered cybersecurity strategy (e.g., policies, technical defenses, and education) to prevent malware from being executed on an endpoint. This means making sure to aggressively patch endpoints so they cannot be remotely or silently compromised. It means making sure they are appropriately, securely configured. It means making sure that involved users have strong authentication, such as phishing-resistant MFA or strong and unique passwords.
It also means making sure that end-users are aggressively trained to prevent falling for social engineering schemes. There is no single defense other than security awareness training, that could do more to prevent users from mistakenly launching malware. Every user should be taught how to recognize the signs of social engineering and what to do when they see it (i.e., report it to the appropriate resources and avoid launching it).
The recent new technique of using the Microsoft Edge Webview2 control to create malicious web instances is yet another new method to bypass the inherent protections of MFA, but it is just one of many dozens in a continuing and persistent series of related methods resulting from compromised endpoints. The only viable defense is to prevent endpoints from being compromised. This requires an aggressive, defense-in-depth, layering of policies, technical controls, and education. Once an endpoint is compromised, there is no way to 100% guarantee that an attack can be stopped. And it does not take a new web control attack to make that any truer.