How Threat Actors Target Multi-Factor Authentication according to Cisco Talos

How Threat Actors Target Multi-Factor Authentication according to Cisco Talos



In the latest Cisco Talos Incident Response Quarterly Trends Report, Hazel Burton discusses the growing trend of threat actors focusing on bypassing multi-factor authentication (MFA) in security incidents. The report found that MFA weaknesses were present in half of the incidents responded to by the Talos team in the first quarter of 2024. Attackers are using targeted social engineering tactics to exploit MFA vulnerabilities, such as fraudulent push notifications and phishing kits with MFA bypass capabilities.

Burton emphasizes the importance of organizations understanding the evolving tactics of threat actors and strengthening their MFA implementation. She highlights the need for organizations to address potential weaknesses in their MFA solutions, such as poor implementation or lack of coverage on critical services. Attackers are increasingly targeting MFA as a means to gain access to systems using stolen credentials or through social engineering tactics.

The report also delves into the rise of push-spray attacks, where attackers exploit users’ acceptance of fraudulent push notifications to bypass MFA. These attacks are often timed during normal working hours to go unnoticed by users. Burton warns that attackers are leveraging social engineering tactics, such as calling IT departments for MFA enablement, to bypass MFA and compromise systems.

Looking ahead, Burton predicts that attackers will continue to evolve their strategies to bypass MFA, including the use of phishing-as-a-service tools with MFA bypass capabilities. She urges organizations to remain vigilant and continuously assess the strength of their MFA defenses. While MFA is a critical defense measure, it is not a foolproof solution, and organizations must be proactive in addressing potential weaknesses in their MFA implementation.

Burton also highlights the importance of having alternative access policies in place for situations where MFA cannot be enabled. She recommends the use of security keys as an alternative authentication method to enhance identity context and security.

Overall, the report underscores the importance of organizations maintaining a strong defense posture against evolving threats to MFA security. By understanding the tactics used by threat actors and taking proactive measures to strengthen their MFA implementation, organizations can better protect their systems and data from unauthorized access and compromise.

Article Source
https://duo.com/decipher/cisco-talos-how-threat-actors-target-mfa