Bypassing Two-Factor Authentication
Two Factor-Authentication (2FA) adds an extra layer of security that can prevent unauthorised access to your accounts. Rather than requiring just a username and password (something you know), the user will be required to provide an additional piece of information to prove their identity. This can be achieved in various ways, but most commonly this is done by confirming a request on a mobile app or entering a one-time code sent to a phone. Although this does dramatically increase login security, it is not unbreakable and does not provide a complete solution to protecting user logins from cyber criminals.
In this blog post, we will display how 2FA can be bypassed. The technique displayed can be used by attackers against any service, such as Google, Amazon, Facebook, Instagram, Twitter etc.
For the purpose of our demonstration, we will be carrying out this attack against a Microsoft 365 account. As of today, it is estimated Microsoft 365 has well over 250 million users and therefore provides the most lucrative target with a large attack-surface and a high possibility of access to extremely sensitive and critical business information.
We hope to make companies aware of the simplicity of this attack and emphasis the risks it presents.
Our video post can be found here.
To setup the attack, we registered the domain name loginmicrosoftonline.co.uk. The website will mirror the Microsoft 365 login page, including any unique customisations. At the end of the login process, the user will be signed into their Microsoft 365 account, however their username, password and session token will be dropped onto the attacker's server.
This session token will then be used to bypass the login process, allowing the attacker to login as it's target.
How could this attack be launched?
Phishing - according to Deloitte, 91% of cyber-attacks start from phishing. Sending an email with a link to a word document or excel spreadsheet would work great in this scenario.
Public Wi-Fi - when you using public Wi-Fi, you have complete trust that the network will direct your requests to the correct website. The scenario below could be accomplished by setting up a rogue access point at a coffee shop or an airport and redirecting Microsoft 365 traffic to our website.
Upon visiting the website the user is greeted with the usual Microsoft login experience. The padlock shows the website has a valid certificate, the "Term of use" and "Privacy & Cookies", would redirect the user to the official Microsoft pages.
The only give away is the website name loginmicrosoftonline.co.uk. For a user in the UK, only the missing . between login and Microsoft would raise an alarm that this was a phishing website.
In general, entering just an email address into a phishing website is not going to cause too much damage. When the user clicks "Next". All the organisation customisations are replicated. In our scenario, the company has a custom and unique background picture. This instills confidence that the web-page is legitimate. At this point, it would feel like there is little reason to verify the web address is correct.
The user enters their password and clicks sign in. This then returns the prompt for 2FA , an alert is pushed to the users phone asking them to confirm they are trying to sign in or to enter a 6 digit code that changes every 30 seconds. This further injects confidence that the website is legitimate.
After confirming the authentication request or entering the pin code, the login process is complete and the user is asked whether they wish to remain signed in.
Like many other users, for ease of use, our target clicks "Stay signed in". This creates a more persistent session token, which would remain valid until the user signs out or the token expires.
The user is redirected to their Microsoft 365 home page, and with the exception of the web address, everything else appears and functions as normal.
The Attacker's View:
Over on the attacker's terminal, we can see that the input was stored as the user logged in. If the organisation solely required a username and password to login, then this information would be exposed and remain valid to the attacker until the user changed their password. However, this information on it's own would not be enough to bypass 2FA.
Nevertheless, during the login process, the session token was captured and providing the user is still logged in, it would remain valid for the attacker to use. (n.b. just closing the web browser doesn't mean you have signed out).
Now, all the attacker would have to do is simply copy and paste this token into a cookie editor to impersonate the user.
The attacker would visit login.microsoftonline.com and they would be signed in with no authentication required.
By no means does this attack suggest that avoiding the implementation of 2FA is a better solution. Exclusively relying on just a username and password poses a much greater risk.
The article highlights that there are risks associated with 2FA and how new exploit methods are constantly being development. As a result, businesses and individuals are constantly required to change and adapt their procedures to these threats.
Below, we have a provided some steps to help organisation's defend themselves from this attack:
Sign-Out of accounts
Staff Awareness Training - Everyone in the organisation plays their part in keeping the companies digital assets safe. Regularly training staff helps keep them aware of tactics and techniques used by cyber criminals. In addition, the skills they learn are transferable outside the workspace into their own private lives. This can help keep them and their loved ones safe online.
Policies and Procedures - although this is not the most glamorous step. Policies and procedures are extremely valuable in defending your company against cyber attacks. In brief, policies and procedures assist staff in knowing what the correct action is to take or who to consult if they are unsure. For example, new employees, which can easily be discovered by LinkedIn or the company website, make superb phishing targets as they are less familar with their new company's policies and procedures. Implementing a security framework, like Cyber Essentials is a great place to start.
LastPass (Password Manager) - LastPass helps generate long, complex and unique passwords for every website and store them. Another benefit of LastPass is that they auto-fill the username and password for stored websites. In our scenario above, LastPass would not recognise the website's address and would not auto-fill the username or password. This should raise an alarm to the user that something is not right.
Yubikeys - Yubikeys can be purchased from Amazon and integrated with password managers, such as LastPass.
Microsoft Conditional Access Rules