Excellent, long-time, tech reporter Dan Goodin reported in Ars Technica that the recent Solarwinds’ supply chain attack involved hackers bypassing a popular multi-factor authentication (MFA) solution.
I summarize over 50 different types of attacks against MFA in my most recent book, Hacking Multifactor Authentication, which was recently selected by long-time security expert, Ben Rothke, as one of the top computer security books of 2020. So, it surprised me that I hadn’t heard of or covered this exact type of attack. This attack was novel and new.
The attack involved the hackers accessing compromised end-points and servers involved in the MFA authentication (I know, double word used here) process. I actually have a whole chapter on how compromised end-points can bypass MFA along with half a dozen examples, but how the specific attack was accomplished, using a compromised component that then generated session cookies, was new to me (and most people).
It shows the continuing escalation against MFA and how MFA isn’t the unquestionable security speed bump many proponents make it out to be. MFA does significantly mitigate many forms of hacking, substantially so. But there is a far cry between saying that and claiming that MFA makes hacking impossible or even unlikely.
As many MFA users and administrators are finding out, using MFA can make some targeted hacks against you far more likely if they are attempted. I’ve had a credit union security officer tell me that they’ve suffered more successful hacks since his organization implemented MFA and he wished they would go back to login names and passwords. They wouldn’t be the first to reverse course. Many multi-millionaire cryptocurrency traders that got exploited explicitly because they were using MFA then went back to simple login names and password security years ago. Using MFA was just too much risk out of their control.
The Solarwinds’ attack involved a very popular MFA solution and one that I personally like as well. This doesn’t mean it can’t be attacked. In fact, I cover two other previous attacks (and I know of a third) against the same MFA vendor, including a default setting that builds in insecurity. This doesn’t mean that it’s a bad solution. It’s a good solution and when implemented correctly, it puts down a ton of attacks and risks.
The problem is that too many people equate using MFA with “I can’t be hacked!” or “I’m very unlikely to be hacked!” and those two things simply are not true. It’s not like if 100% of people used MFA 100% of the time that hackers would call it quits and go home. MFA does not defeat all hacking. How do we know? Because hackers have been compromising every released MFA solution from the beginning of MFA solutions. MFA is at best a speed bump to a hacker with focused attention.
Anything can be attacked and hacked. Anything! I’m not that good of a hacker and yet, I can hack any MFA solution at least five different ways. Many I can hack over 11 different ways. That doesn’t mean that a particular MFA solution is bad or weak (although there are bad and weak MFA solutions) or that you shouldn’t use MFA. In fact, I recommend that you use MFA (the more secure forms) where and when you can, which is unfortunately, not a lot of places.
The Solarwinds’ attack, although novel and new, is not INCREDIBLE! It’s not an unexpected outcome for the way it was accomplished. The hackers had complete control of multiple involved servers and used that access to undermine the MFA solution. That’s not a surprising outcome. If an attacker has complete control of an endpoint, there really is no security solution that is going to stop them. If the attacker has unfettered access to multiple servers involved in providing access control protection, you will never be able to stop them. It’s already game over.
The primary defense recommendation against the MFA bypass revealed by the Solarwinds’ attack is this: Don’t let hackers get admin control of your security infrastructure. Because if they do, there is nothing that can stop them from being successful – not the involved MFA solution, not any MFA solution, not any non-MFA solution.
Let me clear. I don’t fault the MFA vendor for this new and novel attack. That type of attack or another similar attack would have been successful against any MFA solution. The fault for this attack does not lie with the MFA vendor.
The key lesson to take away from the Solarwinds’ MFA bypass is that MFA is just one tool in a total defense and if you let an attacker get admin access into your environment, it’s game over! The only question is how they will game your systems and protections to get around them.
The most important lesson I teach in the book, over and over, besides picking secure MFA solutions (I pick winners and losers in the book), is to educate management, administrators, and staff about what MFA does and doesn’t do. I find way too many shops with newly implement MFA that think they have somehow created a bastion wall of security defense that can never be compromised. Many think their days of being hacked are over. And that simply isn’t true. In some cases, using MFA gives attackers who know what your MFA solution is, a specific set of steps they can take to be highly successful. No defense is perfect. Everything can be hacked. And in some cases, MFA can be hacked easier than a login name and password. In most cases, a traditional-looking phishing email can bypass your MFA solution like it wasn’t even there. See this example video by KnowBe4’s Chief Hacking Officer, Kevin Mitnick here. It demonstrates one of the most common forms of MFA bypass, session hijacking, which has been around for decades, and yet most people who see it for the first time are shocked by it.
Implementers and users of MFA need to be aware that MFA can be defeated, and they still need to implement a strong, defense-in-depth plan which includes early warning monitoring that alerts during successful breaches and bypasses. Because if you don’t plan on a breach being successful simply because you are using MFA, you might end up like Solarwinds and a thousand other companies that have learned this lesson the hard way.