Vulnerability Found in Multi-Factor Authentication
CFC sent us the advisory below to share regarding a new multi-factor authentication (MFA) vulnerability. Whether you have your cyber policy with CFC or elsewhere, please review and take steps to minimize your exposure.
CFC has become aware of a significant new security vulnerability that can be easily exploited to bypass multi-factor authentication (MFA). MFA is commonly used to protect against phishing attacks and compromised passwords, which are two of the most common root causes of cyber claims seen by our incident response team. Even worse, we’ve become aware of tools available on the dark web that exploit this vulnerability and expect substantial use of the tool to compromise previously protected environments.
How it works
A new penetration testing tool has been published by a security researcher that automates phishing attacks against multi-factor authentication protected websites. This tool, dubbed Modlishka, sits between a user and a target website such as Outlook 365 or Gmail.
The victim receives authentic content from the legitimate site but all traffic and all the victim’s interactions with the legitimate site pass through and are recorded on the Modlishka server. Any passwords a user may enter are automatically logged on this server, while the reverse proxy also prompts users for 2FA tokens when users have configured their accounts to request one.
If attackers are on hand to collect these tokens in real-time, they can use them to log into victims’ accounts and establish new and legitimate sessions. We have seen a similar method used to intercept other web services such as Citrix Web Access.
You can find more information here.
Steps to take
- Disable web access to email or remote desktop environments where possible
- Use hardware tokens as a means of multi-factor authentication (FIDO 2.0 and U2F)
- Implement phishing awareness and education:
- Do not click on links in emails, and instead type the address in your browser
- Avoid suspicious email attachments or links, and if necessary, verify the sender
- Never hand over your credentials such as passwords or sensitive information such as bank account numbers
- Check that the website address looks right and is spelled correctly
- Use DMARC in order to protect against spoofing of email domains