Multifactor Authentication (MFA) Failures and Surging Ransomware Losses: What’s Going On?
Security experts and government bodies have strongly advocated for companies adopting multifactor authentication (MFA) in recent years. But despite the increased adoption of MFA, security defenses don’t seem to be bolstered against rampant ransomware actors. In fact, recent findings suggest an increase in ransomware losses.
So, what’s going on – are MFA failures to blame for this trend? This article takes a closer look at rising ransomware losses and whether MFA remains the best way to authenticate users. You’ll also get pointers on avoiding MFA failures.
Why Are Ransomware Losses Surging?
To start with the numbers, Nuspire identified an uptick in ransomware publications in Q1 2024 compared to the previous quarter (see this threat report for more details). This increase seems surprising in light of higher MFA adoption—in a recent survey of IT professionals, 83% responded that employees at their company had to use MFA for authentication.
Before closely examining MFA failures as a related or even primary cause, it’s worth a brief look at some possible factors at play here:
- Sophisticated attacks: Cybercriminals continue to refine their methods. Lately, more actors have exploited zero-day vulnerabilities—security flaws unknown to the software vendor—or used social engineering tactics that bypass MFA.
- Generative AI: These large language models are increasingly being used/repurposed for malicious uses. Many models can write convincing phishing emails; all it takes is one susceptible employee to be persuaded into opening an attachment or clicking a link.
- Increased attack surface: Companies continue to adopt more cloud services, rely on third parties, and expand their IT infrastructure beyond the traditional network boundary, sometimes without adequately assessing the securing of every new component in this environment. Misconfigurations, security lapses and inadequate access controls might go unnoticed because of this larger attack surface, which provides attackers with easy entry points.
How Can MFA Fail?
Leaving aside the potential for apps or services MFA doesn’t cover, what are some ways MFA failures occur? Here are three ways threat actors might get around MFA implementation.
Session hijacking
Session hijacking happens when a hacker takes over a user’s active session with a web application after the user has successfully authenticated. This allows the attacker to bypass MFA and gain unauthorized access. Once authenticated, the server generates a session token (often in the form of a cookie) that the hacker then intercepts or steals. Methods for doing this include malware, phishing links or packet sniffing.
Social engineering
The umbrella term ‘social engineering’ captures a variety of techniques available to bypass MFA. One technique that has gained a lot of traction among hackers in recent years is prompt bombing (or MFA fatigue attacks), which targets the push notification method often used in MFA implementations.
Prompt bombing attacks start by getting a correct set of credentials and then repeatedly sending MFA prompts to the victim’s device. These prompts are push notifications that ask the user to confirm or deny an action, such as logging into their account.
In their frustration, confusion or simply in an attempt to stop the incessant notifications, the user might accidentally or deliberately approve one of the authentication requests. This approval grants the attacker access to the system. Fake login pages, SIM swaps and vishing calls are other ways to bypass MFA with social engineering.
Attacking MFA service providers
In today’s complex IT ecosystems, the actual providers of MFA services are not immune to issues like supply chain attacks or direct security compromises. In 2022, one of the technology’s main providers, Okta, suffered a major compromise after a third-party support engineer’s workstation was compromised. That particular incident led to outsider access to 366 Okta customers’ tenants. In cases like these, hackers attack MFA providers directly and can try to reset passwords or change MFA configurations to get into user accounts.
Tips on Avoiding MFA Failures
It’s not that MFA is inherently flawed, but it’s also not guaranteed to keep opportunistic hackers out of your environment. Still, MFA is a top option for authentication. Here’s what you can do to help mitigate the potential for MFA failures:
- Limit the number of failed login attempts and the frequency with which MFA requests can be sent to your users.
- Adjust the security requirements for logins based on real-time assessments of login attempts. MFA systems that use a risk-based approach can factor in things like location, device used or time of the access request to tighten security for suspicious authentication attempts.
- To combat the risk of session hijacking, implement automatic session timeouts and require re-authentication for critical actions, even during active sessions. This should also include regenerating session IDs often.
- Layer your security defenses so that you don’t rely on strong authentication alone to spot malicious activity quickly. Use endpoint detection and response (EDR) and/or managed detection and response (MDR) to thwart threats swiftly on your endpoints or across your network.
MFA improves security, but it isn’t infallible
Switching on MFA for all apps and services at your organization remains a best practice. The most important thing to bear in mind is that while this strengthens security, MFA, like most security measures, is not infallible.
Additional security measures like EDR and MDR provide continuous monitoring and analysis of data on endpoints. You get real-time threat detection, automated responses to security incidents and detailed forensic capabilities. This level of surveillance helps you identify anomalies and potential breaches swiftly and minimizes the potential damage from attacks that have gotten around MDR or other initial defense barriers.
Learn how continuous monitoring and response can shield your network from threats that slip past MFA defenses.
