Critical vulnerabilities in multi-factor authentication (MFA) implementation in cloud environments where WS-Trust is enabled could allow attackers to bypass MFA and access cloud applications such as Microsoft 365 which use the protocol according to new research from Proofpoint.
As a result of the way Microsoft 365 session login is designed, an attacker could gain full access to a target’s account including their mail, files, contacts, data and more. At the same time though, these vulnerabilities could also be leveraged to gain access to other cloud services from Microsoft including production and development environments such as Azure and Visual Studio.
Proofpoint first disclosed the these vulnerabilities publicly at its virtual user conference Proofpoint Protect but they have like existed for years. The firm’s researchers tested several Identity Provider (IDP) solutions, identified those that were susceptible and resolved the security issues.
Microsoft is well-aware that the WS-Trust protocol is “inherently insecure” and in a support document, the company said that it will retire the protocol for all new tenants in October of this year, for all new environments within a tenant in April of 2021 and for all new and existing environments within a tenant in April of 2022.
In some cases, an attacker can spoof their IP address to bypass MFA using a simple request header manipulation while in others altering the user-agent header caused the IDP to misidentify the protocol and believe it was using Modern Authentication. According to Proofpoint, in all cases Microsoft logs the connection as “Modern Authentication” due to the exploit pivoting from the legacy protocol to the modern one.
With more employees working from home than ever before during the pandemic, MFA is quickly becoming a must-have security layer for cloud applications. However, there are several commonly known methods to bypass MFA.
The first of these is real-time phishing in which an attacker steals a user’s extra factor. This method can even be automated using tools such as Modlishka but attackers must update their tools frequently in order to avoid detection from large security vendors. Additionally, another real-time phishing method employed by cybercriminals is called “challenge reflection” where users are prompted to fill in their MFA credentials at a phishing site where they are distributed to the attackers in real time.
Channel hacking is another method used to bypass MFA where a victim’s phone or computer is hacked with malware. This malware can then use man-in-the-browser or web injects to get this information while some malware is capable of stealing MFA credentials from a user’s smartphone.
Finally, a cheaper and more scalable method of bypassing MFA leverages legacy protocols for attacks on cloud accounts. This bypass method can be easily automated and applied to credential dumps from the web or credentials obtained from phishing.
While MFA can provide an extra security layer to protect user accounts, using a physical security key can provide even greater protection for user credentials as a physical devices is required to access their accounts online.