Exploiting multi-factor authentication: Criminals further evolving their tactics to compromise protected accounts
April 26, 2021
The ACTI RECON team created this blog based on their tracking and pursuit of cyber criminal activities, including new or emerging tactics they are employing.
For some time, many security researchers have stressed the importance of cyber hygiene, particularly around securing online accounts. Using complex, hard-to-guess passwords is the first step in securing online resources. However, password complexity is often not enough to prevent account theft if passwords are stolen, especially if passwords are reused across multiple websites. Thus, an extra layer of security is necessary-- this is where multi-factor authentication (MFA) comes into play.
MFA requires a user to enter a code, typically generated via SMS, email, or an authentication application such as Authy or Google Authenticator. However, just as with any security measure, malicious actors find effective methods to circumvent MFA. Threat actors use methods such as malware, phishing, token cracking, SIM swapping, and exploits to bypass SMS-based MFA and authentication apps. Between January 2019 and April 2021, Accenture’s Cyber Threat Intelligence (ACTI) team observed malicious actors on underground sites buying and selling an array of products and services to bypass MFA.
One technique for bypassing MFA is to use stealthy malware like mobile malware and credential stealers. In July 2019, the actor “ANDROID” released the Cerberus mobile malware on a highly popular underground forum. Initially, Cerberus included an MFA “grabber” module for intercepting SMS MFA codes. By February 2020, many security researchers observed upgraded Cerberus variants capable of grabbing MFA codes from Google Authenticator. When these features are combined with Cerberus web injects (code designed to steal financial data), the malware makes a reasonably effective all-in-one solution for defeating MFA.
Credential stealers, malware capable of stealing account data, can also defeat MFA. ACTI notes that in 2020, threat actors began selling credential stealers capable of stealing MFA codes from authentication apps, such as Authy, on Windows systems. One such example is Nexus Stealer, which also has features for stealing passwords, credit card information, website cookies, and browser histories, as well as data from messaging and VPN applications. Even more troubling, threat actors can purchase Nexus Stealer for as little as US$100.
Creating malware modules aimed at defeating MFA likely requires significant upfront time and effort. However, due to automation, malware with MFA bypassing capabilities presents a distinct advantage for users to target many victims at once, unlike other techniques such as SIM swapping.
Another common technique threat actors use to bypass MFA is phishing. Actors use phishing toolkits based on legitimate penetration testing tools such as Evilginx and Modlishka, which are designed to highlight flaws in MFA. Based upon ACTI research, these attacker-modified versions of Evilginx and Modlishka can bypass MFA on services like Microsoft Office 365, Facebook, Instagram, WordPress, and cryptocurrency exchanges such as Blockchain.com. At present, threat actors lease and sell phishing kits capable of bypassing MFA for several hundred to several thousand US dollars.
At a relatively low cost compared to the anticipated payout of a successful compromise, buying a phishing kit that includes features to bypass MFA is a relatively low effort endeavor. Phishing still requires actors to compile lists of email addresses for campaigns. Compiling email lists can be an arduous process and success rates for delivering phishing emails can be low, thus the technique may be low reward for less experienced actors.
Threat actors also offer “cracking” services for MFA codes generated via SMS or authentication apps – also known as MFA “tokens.” In a December 2019, underground forum posting actor “X4Crow” advertised services to crack MFA tokens of “any website or application on the planet.” As seen below, “X4Crow” can crack numeric, alphabetical, alphanumeric, and currency value tokens--with some limitations. “X4Crow” can crack 6-digit SMS codes and currency value tokens on platforms with unlimited attempts to enter the correct token. However, “X4Crow” states that tokens cannot be cracked in the following instances:
<<< Start >>>
<<< End >>>
Although cracking services are optimized to support “non-dynamic” interactions where a login is automatically approved after correct token entry, these services are rarely successful on sites requiring “dynamic” interactions, those involving a secondary form of interaction after correct token entry. According to “X4Crow,” successful cracking of a single token can take several minutes to several hours.
Cracking MFA tokens is a niche market with several noted limitations in both the type of interaction the seller can crack as well as the requirement for the attacker to have at least a username and password. If these conditions are met, cracking MFA tokens is likely effective but more costly, with prices ranging from US$1,000 to US$3,000 to perform reconnaissance and crack a single token.
The process of SIM swapping to bypass MFA is likely effective and has attracted attention on darknet forums over the last several years. SIM swapping involves social engineering or insider attacks on mobile carriers to transfer a mobile phone’s subscriber identity module (SIM) card ownership to a malicious actor. When a swap is successful, an attacker can intercept MFA codes sent via SMS or phone calls.
As SIM swapping has gained attention, supply and demand has increased. Since January 2019, ACTI has observed SIM swapping services impacting mobile carriers in North America and Europe. SIM swapping prices are based on revenue earned from draining a single victim’s bank or cryptocurrency accounts, money which the swapper and customer will split. Alternatively, malicious actors may charge flat rates for single swaps. Since January 2019, ACTI found prices for single swaps range from US$200 to over US$1,000.
SIM swapping requires threat actors to convince a mobile carrier, likely over the phone, to swap the SIM card ownership requiring a higher level of effort as well as knowledge of an individual’s PII needed to bypass carrier security measures. Threat actors cannot use this type of attack against multiple victims at once, also increasing the level of effort.
While in low supply, exploits to bypass SMS MFA are in high demand among malicious actors. Most notably, actors are interested in obtaining Signaling System 7 (SS7) exploits. SS7 is a series of protocols used by all mobile phone networks globally to exchange information for transmitting phone calls and SMS messages. Exploiting SS7 could allow threat actors to forward or listen to calls, read text messages, or track a phone’s location. Historically, SS7 exploitation is low, though, in 2017, malicious actors exploited SS7 to carry out phishing attacks and bypass SMS MFA to cash out German bank accounts.
ACTI also observed actors selling other types of MFA bypass exploits. The malicious actor “Cyberwaffen” claims to have discovered a “social engineering exploit” impacting US mobile carriers like T-Mobile® and Verizon® (see below image). According to “Cyberwaffen,” the exploit results in disclosure of SMS and call logs, mobile location data, account PIN, billing address, and in certain cases, partial credit card and Social Security numbers (SSNs).
<<< Start >>>
<<< End >>>
In the February 2020 advertisement, “Cyberwaffen” sought US$120,000 for the exploit. Due to the exorbitant price and features too good to be true, ACTI assesses it is likely the exploit is inauthentic.
Exploits likely carry the highest level of effort but will also have the highest reward, as a cyber criminal could presumably use an exploit against multiple victims at once with a lower chance of detection.
Some readers may wonder what the end goals of MFA exploitation are. In most cases, the main goal is financial gain. This occurs through account takeover (ATO), which can then be used to empty financial accounts or make fraudulent purchases. Threat actors can use e-commerce and social networking accounts compromised via MFA exploitation for identity theft or to purchase high-value goods.
Malicious actors are increasingly interested in cryptocurrency accounts specifically, likely for the anonymity inherent in using cryptocurrency exchanges. Threat actors use the methods described above to bypass SMS MFA and authentication apps to steal funds from online wallets of cryptocurrency exchanges. In most cases, actors must provide an email address, password, and cookies of the target wallet for successful theft. Some providers of cryptocurrency wallet hacking services indicate they communicate directly with crypto-exchange technical support to bypass MFA and facilitate withdrawals. ACTI assesses the plurality of cryptocurrencies and increasing number of investors are probably among the main driving forces in the proliferation of cryptocurrency hacking services.
Due to MFA’s wide use across personal and business applications, techniques to bypass MFA are attractive to threat actors conducting espionage endeavors as well. In the case of email and social networking accounts, actors may carry out targeted attacks on high-value targets (HVTs) for cyber espionage.
Evolving techniques for bypassing MFA highlight a greater need than ever for account security. However, implementing any form of MFA helps reduce the risk of account compromise via most attacks. The debate rages on as to the most effective type of MFA.
ACTI researchers found SMS-based MFA as the weakest form based on the abundant available tools that can bypass SMS-based MFA, such as mobile malware and credential stealers, as well as in exploitation techniques such as SIM swapping and SS7 exploits.
According to Microsoft researchers, SMS-based MFA has inherent weaknesses over other authentication methods. They argue mobile carriers and other organizations may transmit SMS MFA codes in clear-text, and attackers can easily access the codes through social engineering or intercepting through malware or SS7 exploitation.
Authentication applications and hardware-based MFA keys can be effective at deterring MFA compromises. ACTI analysts have not observed criminals discussing or advertising techniques for bypassing hardware-based MFA keys.
ACTI suggests users adhere to the following recommendations to reduce the risk of MFA exploitation:
Our ACTI team provides actionable and relevant threat intelligence to support decision makers. The intelligence analysis and assessments in this report are grounded in verified facts; more information on this activity is available to subscription customers on ACTI IntelGraph. IntelGraph is a proprietary next generation security intelligence platform that allows users to search, visualize, and contextualize the relationships between malicious actors, their tools and the vulnerabilities they exploit.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
The information in this blog post is general in nature and does not take into account the specific needs of your IT ecosystem and network, which may vary and require unique action. You should independently assess your specific needs in deciding to use any of the tools mentioned. The Authy, Google Authenticator, Evilginx, and Modlishka tools are not an Accenture tools. Accenture makes no representation that it has vetted or otherwise endorses these tools and Accenture disclaims any liability for their use, effectiveness or any disruption or loss arising from use of these tool.
This document makes reference to marks owned by third parties. All such third-party marks are the property of their respective owners. No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.
Copyright © 2021 Accenture. All rights reserved.