Multi-factor authentication has long been viewed as a foundational building block when it comes to securing data.
When the technology isn't securely implemented or shortcuts are taken however, it can introduce unexpected gaps in your data protection plan.
The U.S. government is reminding organizations this week that while MFA is a cybersecurity essential and instrumental when it comes to preventing breaches, it's not a set it and forget it solution; it should be fine-tuned.
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) warned organizations on Tuesday that hackers were able to compromise an organization last year that had MFA implemented but used default configuration settings.
Specifically, the hackers, which where Russian-backed, made short use of default MFA settings to side-step authentication at the organization in May 2021. From there, after exploiting a known vulnerability, the hackers were able to move laterally to access the organization's cloud storage, email accounts, and exfiltrate documents.
While a joint cybersecurity advisory issued by the two agencies obviously didn't disclose the organization or what files may have been taken, it did specify that it was a non-governmental organization, or NGO.
The hackers were able to use compromised credentials - through brute-force guessing - from an inactive account to enroll a new device in the organization's MFA program. After securing access to the organization's network, the hackers used last summer's PrintNightmare vulnerability (CVE-2021-34527) to obtan admin privileges and modify a domain controller file that in turn, disabled MFA for active domain accounts.
For MFA to work, the MFA server needs to be reachable; in instances where it’s not, many implementations default to a "fail open" scenario - exactly what happened here - something which essentially defanged MFA.
CISA’s alert is a good reminder for organizations to check whether or not they’re following MFA best practices.
As the agencies note, organizations should:
- Enforce MFA for all users but review configuration policies to protect against “fail open” and re-enrollment scenarios like the one discussed above.
- Implement time out and lock out features to prevent repeated failed login attempts.
- Ensure inactive accounts are disabled across Active Directory and MFA systems
- Patch vulnerable software, applications, and firmware, especially vulnerabilities that are known to be exploited, like last year's PrintNightmare bug
- If you require an employee to use a password to login to a system, require them to be strong and unique and not reused across services
The FBI and CISA also used the hack as an opportunity to spread awareness around what to do in the event a domain controller is compromised - it points users to Microsoft's guidance on the topic - and share security, network, and remote work best practices.
In a lot of ways, the reminder from CISA and the FBI recall a letter issued by the New York State Department of Financial Services (NYDFS) late last year. The department, which is in charge of overseeing compliance at banks, insurance, and financial services said in the letter that more than half (64%) of the organizations that reported a Cybersecurity Event to the department from January 2020 to July 2021 had a gap in their MFA setup.
In guidance released alongside the letter at the time, the NYDFS encouraged organizations to pay attention to MFA gaps introduced during rollouts or transitions to new technology, implement MFA for remote access, use token-based MFA as opposed to push-based or text-based, and to periodically test the effectiveness of MFA through regular audits.
