Sunday05 February 2023

MFA Flaw used by State Threat Actors to Move Around your Network

Reading time is around minutes.

Multi-Factor Authentication is often seen as an answer to account compromise, or at least a partial answer to this issue. The problem is that MFA is that while it can help with account compromise, it is certainly not the end all of account protection and, like any other software control, it is potentially vulnerable to coding mistakes and other flaws that attackers can leverage. According to a recent FBI report state-backed attackers have found a way to abuse certain default configurations to register their own devices.

The flaw in question is a fail-open state found in DUO’s MFA default configuration. In other words, if there is a failure to reach the DUO servers (due to a service outage or other issue) then authentication is allowed instead of blocked. It gives attackers a nice opening to exploit once they compromise an account. This is even more true if the default configuration allows re-enrollment for stale accounts. Basically, if there is an account that has been unenrolled in DUO due to inactivity, but not deactivated in your authentication system, this account can be re-enrolled on a new device. If someone can compromise the stale account, they can then enroll their own device and gain access to the organization. Depending on the level of access that an account has there is an option to move further into the organization.

In the case of the FBI report the threat actors were able to compromise a stale account that used a simple password. They enrolled their own device to cover MFA requirements and once in the environment leveraged PrintNightmare to escalate privileges. They went after the host file on a domain controller and modified it so that all MFA request for DUO just looped back to localhost. This effectively disabled MFA in the environment due to the fail-open flaw in most MFA configurations.

The threat scenario detailed in the GBI report highlight several areas where best practice was not employed. Stale and unused accounts should be deactivated in your authentication system as soon as possible. Re-Enrollment options in MFA should be restricted and/or require 2ndary interaction to ensure it is the correct user that is looking to enroll a new device. Additionally, environments should be scanned and patched for vulnerabilities to ensure that when an account is compromised, options for privilege escalation are minimal or non-existent.

MFA is a great tool, when properly configured. It can help to prevent account compromises, but like any other systems, it needs to be configured properly and checked to ensure that it is not vulnerable to compromise and exploitation. Ensuring proper configuration of your MFA system along with maintain best practices will help to remove as many attack avenues as possible and reduce your risk.

Happy patching.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.