Posted on September 18, 2020 at 1:25 PM
Many employees are now working from home due to the coronavirus pandemic. As a result, it has increased the activities of cybercriminals who will stop at nothing to take advantage of system vulnerability. This time, it seems the actors have found a way to bypass the multi-factor authentication for Microsoft 365.
A new report has revealed that vulnerabilities in Microsoft 365, a cloud-based office productivity platform, have given hackers access to bypass systems through cloud applications.
Proofpoint researcher made this revelation yesterday, saying the vulnerability has opened the door for hackers to circumvent multi-factor authentication (MFA) for Microsoft 365.
The vulnerability is visible upon the implementation of what is known as WS-Trust specification in the cloud environment.
Due to the design nature of the Microsoft 365 session login, the hacker may gain complete control of the target’s system and their account, including their data, contacts, files, and mail. Apart from the obvious access due to the vulnerability, hackers can take advantage to access other Microsoft cloud-based services such as Visual Studio and Azure.
Proofpoint initially revealed its discoveries to the public during the ProofPoint Protect virtual user conference, although the security research team said the vulnerability has been existing for years.
Proofpoint researchers look at different Identity Providers (IP) systems to identify those that are vulnerable to correct the security lapses.
Microsoft knows about the vulnerability
Microsoft is not unaware of the issues with the WS-Trust protocol, as evidenced in a support document it released earlier this year.
According to the report in the support document, the technology giant revealed it intends to stop offering support for the protocol and replace it with a new protocol next month.
In some instances, the hacker alters the user-agent header, which causes the IPD to wrongly identify the protocol and think it was utilizing modern authentication.
And in other instances, they spoof the target’s IP address to circumvent the multi-factor authentication with a simple request header manipulation.
Based on the report by Proofpoint, in every case, the connections are logged by Microsoft as “Modern Authentication” because of the exploit moving to the modern protocol from the previous one.
Attackers use different methods to bypass MFA
As more employees work from home than ever before, many organizations are quickly adopting a more secure platform with a multi-factor authentication protocol for a cloud application. But hackers are getting smarter and more complicated by using different methods to bypass the MFA protocol.
One of these methods is what is commonly regarded as real-time phishing, where the hacker hijacks the users’ password. Some hackers have even found a way to automate the process by utilizing tools like Modishka. To avoid been detected easily by the user or security researchers, the hackers update the tools frequently.
“Challenge reflection” is another real-time phishing method the hackers are using, where the user is asked to fill in the details of their MFA. While the user is filling the credential thought to be genuine from the sender, the details are sent directly to the attacker in real-time.
The second method the hackers use is what is regarded as channel hacking. In this method, the hacker plants malware on the target’s computer or phone. Subsequently, the malware can use web injects or man-in-the-browser to steal details as the malware retrieves MFA credentials from the user’s system.
A more scalable and less expensive method for hackers to bypass MFA makes use of legacy protocols to launch attacks on cloud accounts. The hackers can automate and apply the bypass method via credential dumps from the credentials or web obtained via the phishing method.
Although MFA is still a solid security protocol that offers an additional security layer, there is another method of offering better security. With the use of a physical security key, the user can provide better protection to their system since the hacker would need a physical device to have access to the user’s credentials.
The Microsoft 365 was initially known as Office 365, while the WS-Trust is used to renew and validate security tokens and part of a secure message-exchange-architecture.
According to the researchers, the main problem is the fact that WS-Trust is not a secure protocol, and Microsoft IDPs carried implementation on its specifications with various vulnerabilities.