MFA Bypass — IT’S HERE!

A short while ago Microsoft discovered a new approach attackers have been using to quite easily bypass Multi-Factor Authentication (MFA) implemented as a security measure by many organizations. MFA is also the foundational bedrock security function that Cyber Insurance carriers rely on to reduce an insured’s risk profile.

The challenge is that MFA and even identity authentication “Zero Trust” touted by many security providers is based on a flawed premise. The current vulnerable method provides free and open access to the application and the system hosting it, only enforcing user identity. Yet the system and application attack surface remains freely accessible by anyone, anywhere.

This means that attackers have two key methods to bypass MFA:

1. They have access to the attack surface and can exploit vulnerabilities to implement ransomware, botnets and other malware as well as compromise the system to disclose information or completely take over the system.

2. Attackers easily execute a Man-in-the-Middle (MitM) attack where:

   1. The user is redirected to a “Look-Alike” site.

   2. Once on the site, the username and password entered is forwarded to the “Actual Site.”

   3. The legitimate site in turn issues a Time-based One-time Password (TOTP), otherwise known as MFA, back to the user via text message or email.

   4. The user enters the TOTP into the “look-alike” site which in turn forwards it to the “Actual Site” validating MFA for both the user and the attacker.

   5. The attacker now has access to the system and application with the same privileges as the user.

Acreto’s Patented Ecosystem model eliminates both of the flaws with MFA inherently and without complexities or even the addition of deployment steps. Acreto uses the patented Ecosystem model that isolates systems, applications, users and devices from the Internet as well as other internal systems.

The Ecosystem model has many advantages including:

1. Eliminating Internet and internal access to all systems, applications and devices which eliminates access to the attack surface, preventing exploitation of vulnerabilities.

2. It further eliminates the potential for Man-in-the-Middle attacks that facilitate MFA bypass campaigns that are more and more prevalent today.

Acreto Ecosystems secure any technology, on any network, anywhere. An Ecosystem provisions in 5 minutes and deploys in around 2 hours without the need for products, logistics and hard-to-find experts. Contact Acreto today for more information or to evaluate Ecosystem security for your organization.