Stop us if you have heard this one before: threat actors are preying on user identities and poor management of multi-factor authentication. The latest quarterly report from Cisco Talos detailed a number of trends emerging in the threat landscape, which included the poor management of identity and MFA.
The security vendor said that threat actors are increasingly targeting user identities, gunning to take over legitimate accounts that can, in turn, be leveraged to perform social-engineering attacks that result in far greater access to company data and network infrastructure.
“Identity-based attacks are concerning because they often involve actors launching internal attacks from a compromised, valid account — making such activity difficult to detect,” explained Cisco Talos researcher Caitlin Huey.
“Moreover, once account compromise is achieved, an actor can carry out any number of malicious activities, including account creation, escalating privileges to gain access to more sensitive information, and launching social engineering attacks, like business email compromise (BEC), against other users on the network.”
Of those identity attacks, brute force was the most popular technique. One quarter of the observed attacks involved brute force techniques such as password spraying. Other popular methods for stealing account credentials included the use of info-stealing malware and man-in-the-middle attacks.
Identity management and account security have been hot topics recently, thanks in part to Okta making them a focal point at its annual Oktane security conference. The vendor has pushed for, among other things, an open framework for identity management that would allow SaaS vendors to freely share identity data and reduce the need for exposing account credentials.
Also on the rise were attacks exploiting poorly configured multi-factor authentication. Nearly half of all incidents recorded included attacks that either exploited misconfigured MFA or mimicked legitimate login screens.
In such attacks, the threat actor would gather the MFA code and immediately use it to log into the actual service (such as Office 365) before the MFA credentials expired.
“In nearly 40% of engagements, misconfigured, lack of MFA, and MFA bypass accounted for the top observed security weaknesses this quarter,” explained Huey.
“MFA was bypassed or not fully enabled in 100% of the engagements which involved threat actors sending phishing emails to victims.”
MFA has been a hot topic in the security space as of late. Both vendors and government agencies have warned companies that in many cases the MFA systems currently in use are ineffective and prone to exploits. Customers have been advised to ditch older MFA formats such as SMS and push notifications in favor of more secure authentication technologies.
