Hacking Two Factor Authentication: Four Methods for Bypassing 2FA and MFA

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
multi-factor authentication is implemented correctly it can be an extremely powerful and low-cost way to protect against the weakest link in the cyber security defense which is generally the user password it works by combining something you know like a password with something you have like a hard or soft token it can be expanded to include other factors such as something you are like biometrics or somewhere you are like geolocation attacks on multi-factor authentication were once considered more of a proof of concept than an actual threat the thinking was as long as multi-factor authentication is enabled it doesn't really matter if an attacker gets a user password because it would still need access to the token over recent years however more and more attacks have proven to not only be quite successful but quite common in the real world in this video we'll take a look at four of the most common multi-factor authentication attacks seen and increasingly being used in the wild along with ways to mitigate against these attacks so that you can protect yourself and your organization before diving into our list please take a moment to hit like on the video down below to give me a boost in the youtube algorithm if you haven't already consider subscribing to stay on top of our latest releases here at the cso perspective now let's get on to our list number one evil genix no matter how strong a security control can be attackers will always target the weakest link a great example of this kind of attack is a framework evil genix 2. evil genix 2 works by acting as a proxy between the user and the server that they are trying to go to the attacker first needs to find a way to reroute user traffic through the evil genix proxy the traffic is then sent from the proxy to the real server and displayed back to the user it's important to know here that the user is actually seeing the real site and not a replica like they would in a common phishing attack evil genix is merely acting as a proxy which means a user is seeing the content exactly as they would when they visit the actual site this also means that all communication from the user is routed from the proxy to the site and in turn grabs not only the username and password but the authentication cookies as well this is a really important concept to know because captured authentication cookies are goldmine it allows the attacker to bypass any form of two-factor authentication on the user account it takes a real user-authenticated session and it presents it to the user so they can be used later offline this attack is important because we're not grabbing the actual token themselves which change frequently and after a new user request will no longer be usable once they've successfully logged in the framework captures the actual authentication cookie from the successful attempt this allows the attacker to bypass any form of multi-factor authentication enabled on the user's account from any machine if you export the authentication cookie from the victim's browser and import them into a different browser on a different computer even in a different country you will be completely authenticated and get full access to the account without ever being asked for the username password or two-factor authentication tokens there are two ways to protect against this kind of sophisticated attack the first of which is to monitor the url and verify the domain you're visiting is the actual one from the browser while this may sound obvious even the most tech savvy users can still have trouble identifying a real user rail from the attacker's redirect using the evil gen x framework the other is to use physical hardware like a universal second factor authenticator utf was introduced to protect against this specific kind of phishing attack in short the user would need to press a physical button on the hardware which interacts directly with the server once a request is made for the one-time code the browser is only acting as a channel for communication and therefore not storing any type of session or authentication information in the browser itself evil genix is one kind of attack which can be considered part of a broader type of attack called pass the cookie this leads us to the next item on our list number two pass a cookie the concept behind this kind of attack is the user has already authenticated with their multi-factor authentication and the website has stored the cookie on the user's browser while this cookie is encrypted by default in this attack we are attempting to retrieve and decrypt the cookie offline unlike evil genix which acts like a proxy between the victim and the real server intercepting the authentication cookie this attack involves access to the user browser via some other method once a system has been compromised the attacker retrieves the cookie database from the web browser once a cookie has been retrieved from the database mimicat can be used to retrieve the decrypted cookie security researcher jeff warren shows us here how the mimikatz command you see on the screen was utilized to retrieve the keys in his blog post he goes on to illustrate how azure was completely bypassed using the passive cookie method once the cookies have been retrieved and unlocked the next step is to pass the cookie into the attacker's web browser and attempt to visit the target application as the authenticated user when the authenticated server attempts to request an authentication cookie he's presented with the victim's authentication cookie and multi-factor authentication is completely bypassed for the duration of the login perhaps the most unsettling part of this attack is the attacker does not need to know the victim's username password or token code however they would need to compromise the victim machines and escalate privileges via some other method fortunately there are a few things we can do to protect against this kind of attack one way would be to add additional context to the user authentication method behind just an authenticated session because this attack works by exfiltrating the authenticated cookie out of a legit machine to another location one protection method would be to only allow authorized ip or client machines with certificates to have access into sensitive machines and servers another option is browser fingerprinting where the remote application would require a new authentication whenever a new browser or device is detected this is similar to what banks do whenever you try to log in from an unknown device or machine this attack illustrates a point that no matter how strong your password policy and multi-factor authentication solution may be an attacker always uses the path of least resistance on that note that leads us to number three sms-based man-in-the-middle attacks perhaps the biggest weakness in the use of multi-factor authentication is using sms or email as a delivery vehicle for the one-time token when using text messages or emails for two-factor authentication the one-time token is delivered to the user via sms text message this is then inputted by the user to log into the system this is perhaps the most popular method of multi-factor authentication because it's easy to implement and does not require any soft or hard tokens to be deployed in fact many of us use this kind of method to log into popular sites like banks and other personal websites however the use of sms itself over physical or soft tokens is the problem because the attacker can easily get access to any victim sms pretty easily this particular kind of attack works by doing first a sim swap on the victim's phone a sim swap is when the attacker transfers the phone number of a victim to their own sim card which is then controlled by the attacker all phone and sms messages are then sent to the attacker's phone instead of the victim this means that the one-time tokens which are sent from the application are actually sent to the attacker without the victim ever being aware sim swaps are surprisingly easy to do for as little as 13 dollars as a vice article recently put it all it takes is a prepaid account and a phone number to transfer ownership as the author puts it once the attacker is able to reroute a target's text messages it can then be trivial to hack into other accounts associated with that phone number in this case the attackers send login requests to bumble whatsapp and postmates and easily access all of the victims accounts in a recent video i covered the massive t-mobile data breach that happened earlier this year when a test router was used to penetrate inside corporate t-mobile systems the result was that over 50 million user records were breached including pii and phone numbers of the victims as i mentioned in that video user phone numbers meant that the attacker can now easily target those compromise accounts for sim swaps by matching their phone number the key takeaway for this attack is to never use sms or email as a delivery mechanism for a one-time token using hard tokens like rsa key fobs or soft tokens like google's authenticator are much better overall security methods number four attack on the soft and hard tokens themselves while speaking about hardware and software-based tokens it's worth mentioning that when they are utilized they too can be the weakest link in the chain software tokens have come under the biggest scrutiny lately due to recent major zero days that have been found in ios and android smartphones while software tokens like google authenticator or rsa secure id are generally considered secure the nature of byod means that organizations still have to worry about malware infecting the underlying operating system of the phone itself in this attack the victim's phone is compromised and used to retrieve the one-time code from the multi-factor authentication system in one example used by security researcher at nex-web a zero day exploit on android made it possible to mirror a victim's phone and even launch applications in the background without them knowing this simple exploit was delivered over sms text message and the victim in most cases didn't even need to open the link the attacker can then log into the victim's phone open up the soft token in the background retrieve the one-time code and all this without the victim ever knowing by having this level of access to the victim's phone no secure software token in the world is safe from prying eyes similarly hardware tokens can also fall victim to user errors as well by doing some digging on showdown for open webcams cybersecurity researcher todzi could clearly see an employee's rsa key fob through the webcam that was connected to the public internet both of these attacks illustrate the point that attackers can and will almost always find ways around the strongest security technologies by finding the least common denominator in the security chain well that does it for this video guys and as always i hope you found it informative please comment hit like and subscribe if you want to stay on top of our latest releases here at cso perspective and also i've recently relaunched our new csoprospective.com website where you can see all the past blog entries as well as all of my research for the videos that i have posted on youtube you can always contact me at andy at csopective.com and until next time stay safe
Info
Channel: The CISO Perspective
Views: 64,374
Rating: undefined out of 5
Keywords: hacking, two factor authentication, 2 factor authentication, 2fa, what is two factor authentication
Id: GexQHFt9fTE
Channel Id: undefined
Length: 10min 15sec (615 seconds)
Published: Mon Dec 27 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.