Authorisation based on identity has evolved into a fundamental pillar for safeguarding the digital world. Granting access to various online systems brings significant benefits, yet also entails a rising danger of cyberattacks targeting identity.
Unfortunately, identity-driven attacks are extremely hard to detect. When a valid user’s credentials have been compromised and an adversary is masquerading as that user, it is often very difficult to differentiate between the user’s typical behaviour and that of the hacker when using traditional security measures and tools.
Between April 2022 and April 2023, Microsoft reported that 4,000 password attacks were blocked by their security systems every second, with a peak in April 2023 with an average of 11,000 attacks per second. The escalation from 3 billion per month to more than 30 billion attempted attacks per month highlights the critical importance of fortifying your systems and exploring alternative approaches to safeguard your accounts.
What is an Identity Attack?
An identity-based attack is a cyberattack that targets and compromises the digital identity of individuals, organisations, or entities. The attacker will try to steal, alter, or misuse identity-related information such as usernames, domain names, email addresses, passwords, personal data, or digital certificates. The goal is often to gain access to systems, data, or resources, to commit fraud, or conduct malicious activities whilst hiding behind legitimate users or entities.
In this blog we will share information on the use of one-time password bots, Multifactor Authentication (MFA) fatigue, the importance of MFA and actionable insights you can follow to avoid password-based attacks.
One-Time Password Bots
Multi-factor Authorisation remains an effective security measure which adds an extra layer of security. However, cybercriminals still manage to find their way to bypass it. One tactic they use is a one-time password bot (OTP bots) to gain access and perform account takeovers. OTP bots extract authentication codes from users by tricking them into providing the OTP sent to them via SMS, authentication apps, or email. The cybercriminal loads the victim’s phone number into the OTP bot, which calls the victim and pretends to be a legitimate service provider. The bot tells the victim there has been suspicious activity on their account and asks them to enter the OTP for “security verification.” The entered password is then sent back to the cybercriminal, granting them access to the victim’s account.
MFA Fatigue Attacks are Threats
Multifactor authentication has increased in importance, which is why attackers have adapted their methods by sending MFA or passwordless sign-in prompts to potential victims, known as MFA Bombing/Spamming. It is a social engineering tactic where the attackers overwhelm their victims with repeated MFA requests causing MFA fatigue tricking the victims into accidentally approving requests. Once the victim does so, the attacker gains full access to accounts and allows them to modify the MFA settings which gives them the authority to sign in at any time.
6,000 MFA fatigue attempts were observed per day by the end of June 2023, which indicates that cybersecurity attacks targeting MFA and passwordless sign-in are on the rise.
You can protect yourself and your organisation against MFA attacks by:
Tighten MFA Parameters: Reduce the time between factor authentications, limit the number of unsuccessful access attempts and increase the number of factors that are required to gain access.
Improve security awareness around MFA: Frequent user education is essential. Train users, third-party contractors and vendors who operate within your resources on how to detect MFA attacks.
Look into Password Management & Authentication beyond MFA: Implementing FIDO2 (Fast Identity Online) authentication can be a powerful tool which eliminates password-only logins by replacing them with possession-based identification that is stored on a personal device.
Enforce Least Privilege: This restricts access rights for users to only those who require the access to certain resources. If a compromised account lacks admin rights, it reduces the ability for attackers to access large amounts of data.
Token Replay Attacks
Token replay attacks are a type of cyberattack where an attacker catches and retransmits valid authentication tokens to gain illegal access to a system or service. These are often used to verify the identity of a user or device without requiring a password or other credentials. The attackers acquire the tokens through malware, phishing, or MFA fatigue to launch additional attacks.
While token replay attacks account for less than three percent of all identity compromises, the consistent increase in detections suggests that cybercriminals still view it as an effective approach for attacks.
The Importance of MFA Enablement on Virtual Private Networks (VPN)
VPNs have been used for many years to enable remote access to company resources via encrypted tunnels. However, ensuring that an organisations security strategy is compliant, configuration and alignment with a modern secure architecture is essential. VPNs extensive use within corporate networks and availability from the internet has made them into an easy target for attacks due to misconfigurations, such as insufficient monitoring of user accounts and devices. Within corporate setups, users are typically assigned separate VPN accounts that have restricted access to the internal network. The use of MFA for these individual accounts is crucial for any VPN risk mitigation strategy. Implementing conditional access, monitoring and integrating security automation are also essential steps to ensure that these accounts remain secure.
Microsoft detected 158 million instances of password reuse across sites in June 2023. Enhance your security to keep identity-based attacks in the past by following the next actionable insights.
Actionable Insights
- Use authenticator apps instead of relying solely on text message codes.
- Never share your security codes with anyone.
- Create strong and unique passwords using password generators. Use password managers to save your passwords securely.
- Educate yourself and your employees about common social engineering tactics to recognise and avoid interactions with OTP bots.
- Consider implementing risk-based and token protection policies in Conditional Access.
- Monitor systems for signs of token replay.
- Use non-phishable credentials which bind the token to the legitimate user’s device, such as Windows Hello for Business and FIDO (Fast Identity Online) keys.
- Use a unique password for each site.
- Secure your devices and accounts with multifactor authentication.
How Can We Help?
As a Microsoft Solutions partner and a member of the Microsoft Intelligent Security Association (MISA), CWSI has the expertise in privacy and data protection required to help you govern and safeguard your data as well as improve your compliance posture.
Want to learn more about what we can do to help? Contact us today via the form below.
Read the full Microsoft Digital Defence report HERE.