Microsoft: Hackers Using 'Concerning' Tactic To Dodge Multi-Factor Authentication 74
Microsoft says token theft attacks are on the rise. From a report: Microsoft has outlined several mitigations to protect against attacks on multi-factor authentication that will unfortunately make life more difficult for your remote workers. Three years ago, attacks on multi-factor authentication (MFA) were so rare that Microsoft didn't have decent statistics on them, largely because few organisations had enabled MFA. But with MFA use rising as attacks on passwords become more common, Microsoft has seen an increase in attackers using token theft in their attempts to sidestep MFA.
In these attacks, the attacker compromises a token issued to someone who's already completed MFA and replays that token to gain access from a different device. Tokens are central to OAuth 2.0 identity platforms, including Azure Active Directory (AD), which aim to make authentication simpler and faster for users, but in a way that's still resilient to password attacks. Moreover, Microsoft warns that token theft is dangerous because it doesn't require high technical skills, detection is difficult and, because the technique has only recently seen an uptick, few organisations have mitigations in place. "Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose," Microsoft says in a blogpost. "By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan."
In these attacks, the attacker compromises a token issued to someone who's already completed MFA and replays that token to gain access from a different device. Tokens are central to OAuth 2.0 identity platforms, including Azure Active Directory (AD), which aim to make authentication simpler and faster for users, but in a way that's still resilient to password attacks. Moreover, Microsoft warns that token theft is dangerous because it doesn't require high technical skills, detection is difficult and, because the technique has only recently seen an uptick, few organisations have mitigations in place. "Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose," Microsoft says in a blogpost. "By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan."
why is token replay possible? (Score:2)
I find it hard to take seriously an authentication protocol that is vulnerable to token replay. Wouldn't adding a time stamp and/or sequence number, protected by a cryptographically-secure hash, prevent token replay?
Re: (Score:2)
Just hash the last successful response and prevent another login until the challenge has refreshed.
Re:why is token replay possible? (Score:4, Informative)
It is a well known issue with TOTP replay. The RFC (https://www.rfc-editor.org/rfc/rfc6238#section-5.2) does highlight the issue
" ... ...
Note that a prover may send the same OTP inside a given time-step
window multiple times to a verifier. The verifier MUST NOT accept
the second attempt of the OTP after the successful validation has
been issued for the first OTP, which ensures one-time only use of an
OTP.
"
Other schemes such as HOTP and U2F explicitly prevent replay...
Re:why is token replay possible? (Score:4, Informative)
> include the IP address/CIDR block of the authenticating client
IP randomization / privacy extensions, corporate proxies with individual outbound IPs etc make relying on client IPs to remain stable for longer than a single TCP connection a disaster. It used to be popular to maintain session affinity based on client IP, but the realities of the internet made that worse than useless.
Re: (Score:2)
My garage door opener will not permit token replay.
Re: (Score:2)
My garage door opener will not permit token replay.
Yea it will. All an attacker has to do is collect a bunch of "tokens" while blinding the GDO. Next they send the oldest one of the lot to the GDO so that it will finally close and you'll leave already.
After you are gone they replay the next oldest token, pair their own remote to your garage door to persist access and steal all your shit.
Re: (Score:2)
I find it hard to take seriously an authentication protocol that is vulnerable to token replay. Wouldn't adding a time stamp and/or sequence number, protected by a cryptographically-secure hash, prevent token replay?
This is a red herring. The issue is granting tokens to phishers in the first place not whether or not they can be "replayed".
This is an avoidable problem with solutions (e.g. mutual PKI auth) in production use for literally decades. It's just Microsoft is grossly incompetent and can't help but constantly attempting to poorly reinvent the wheel so we are constantly treated to this nonsense.
Re: (Score:2)
Re: (Score:2)
Because at some point you have to go back to something password-like for auth. A lot of the lets-replace-password protocols are just a big pile of smoke and mirrors hiding the fact that what's going on behind the scenes is still pretty close to password auth. And that's not any kind of deliberate deception, it's because passwords have a bunch of properties that make them really, really hard to replace [ieee.org], and replacements are often just pay-no-attention-to-the-password-behind-the-curtain smoke and mirrors hiding the fact that when the rubber meets the road, it's some password-equivalent mechanism doing the work.
I wasn't able to read beyond the abstract of your IEEE reference, but accepting that passwords have good properties, what does this have to do with replay attacks? Even if you use a password to establish your identity, the token which remembers that shouldn't be able to be replayed.
Is it man in the middle? (Score:2, Insightful)
"When the user is phished, the malicious infrastructure captures both the credentials of the user, and the token," Microsoft explains. If both credentials and the token are stolen, the attacker can use these for numerous attacks. Microsoft highlights business email compromise, which is the largest cause of cybercrime financial losses today.
Should the token issued be specific to the particular machine the user is logging from? Or its a man in the middle capturing the password of the user and then obtains a auth token from Microsoft? How the token issued to the user for the user's machine, and ip address combination can be replayed from another machine?
Looks like Microsoft added some convenience feature, portable auth tokens not tied a particular machine or ip address opening the door for hackers?
Re: (Score:3)
Re: (Score:3)
IP addresses change, there are dynamic addresses, privacy addressing, pooled nat gateways, shared addresses etc. Plus if someone is able to mitm your connection they have access to the link and can originate from the same address.
Machines are identified based on the tokens sent (ie usually by setting cookies to track individual devices), so it's fairly easy to spoof as a trusted machine.
Re: (Score:2)
Almost all the streaming providers, including YouTube and Netflix spend enormous resources in identifying where the streams end up, people sharing passwords to streaming account etc. So the auth token could include some tracert info that is invariant. If the auth token is coming from a device the packets are going back to significantly different path, token could be invalidated or a new auth might be issued. I mean auth was issued to Boondocks, Pennsylvania area des
Re: (Score:2)
The hacker just needs to compromise a single device in the area, any random insecure device will do. This isn't hard to achieve at all.
Ping times vary due to load, signal strength, interference, routing changes etc - even for the same user.
2022 (Score:3)
This should not really be a surprise
yes yes not the same explicit expiration, claims, blah blah
- zoom out far enough and tokens are just fancy passwords. This was always going to be the next move in the arms race. Which is not say anything is 'wrong' with token based authA/authZ schemes just that its not a surprise the token is going to become a/the target .
Recommended Mitigations (Score:5, Informative)
In case you're wondering, here are the recommended mitigations:
To counter the threat of token theft attacks on MFA, Microsoft recommends shortening session and token lifetimes, though this has a convenience cost to the user. Mitigations include:
Reducing the lifetime of the session increases the number of times a user is forced to re-authenticate
Reducing the viable time of a token forces threat actors to increase the frequency of token theft attempts
Microsoft recommends implemeting Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices
Microsoft also recommends implementing FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for users.
Users with high-level privileges, such as the Global Domain admin, should have a segregated cloud-only identity. This will help reduce the attack surface from on-premises to cloud if an attacker compromises on-premises systems. These identities should not have a mailbox attached to them, Microsoft said.
Re: (Score:1)
hmm
Re: (Score:2)
hmm
Hmm what? It's standard best practice. In case a local admin account is compromised, it prevents that account from being used to also compromise the cloud tenant. It's the same reason we recommend admins not use their AD accounts to manage VMWare or other hypervisors, as that is another popular vector for jumping from PCs to the hypervisor hosts. It's why we recommend admins keep separate admin accounts, ideally protected with a PIM, and NOT use it as their everyday user account.
Re: (Score:2)
If a domain admin account is compromised then you gain access to all other accounts (via multiple methods) in any case.
If it's an admin account of something else then it's potentially not so bad.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
In case you're wondering, here are the recommended mitigations:
To counter the threat of token theft attacks on MFA, Microsoft recommends shortening session and token lifetimes, though this has a convenience cost to the user. Mitigations include:
Reducing the lifetime of the session increases the number of times a user is forced to re-authenticate
Reducing the viable time of a token forces threat actors to increase the frequency of token theft attempts
Microsoft recommends implemeting Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices
These are not mitigations they are fundamental misunderstandings of the problem.
Microsoft also recommends implementing FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for users.
Well hey even broken clocks are right twice a day. Too bad Microsoft is actively doing away with certificate based authentication (e.g. "legacy authentication") in exchange.
Users with high-level privileges, such as the Global Domain admin, should have a segregated cloud-only identity. This will help reduce the attack surface from on-premises to cloud if an attacker compromises on-premises systems. These identities should not have a mailbox attached to them, Microsoft said.
That's just swell but if this problem isn't fixed the answer is still "segregated" phishing attacks.
Stupid question (Score:2)
If an authenticated user (token) pops up on a new IP/device, require re-authentication?
Re: (Score:2)
yes just pay for that conditional access license.
Re: (Score:2)
What about roaming between IPs?
Some features must be limited... why are these tokens leaking easily? they are temporary but should be treated as securely as a type of password.
Re: (Score:2)
ADP and my bank make me log back in.
Re: (Score:2)
AS THEY SHOULD!
Convenience features shouldn't beat out security all the time.
When it doesn't matter then ok... stop fucking demanding my texting phone number "for security" for your throw away website! We all know they are planning to leverage that data in the future... hell, their only profit might be when they sell their business and their biggest asset could be their database!
Microsoft Circumvents its own security (Score:3)
Windows 11 has some interesting security circumvention problems.
My workplace disabled facial recognition, finger print login, and pin login. I've enabled all of them due to a bug in Windows.
It seems Microsoft security schemes may need fixing all across their ecosystem
Re: (Score:3)
It seems Microsoft security schemes may need fixing all across their ecosystem
Always have. MS does not take security seriously, never has. To make matters worse, MS does not understand security and never has.
Re: (Score:2)
Sephiroth told me so!
Source address pinning (Score:2)
Simple mitigation, long-established: pin the token to the source address that authenticated. Any use of a token from any other source address is invalid and triggers re-authentication. It isn't perfect but it makes things much much harder for the attacker.
Re: (Score:2)
Does not work. Even if you don't have portable devices moving between networks, wireless to wired, wifi to mobile etc - you still have CGNAT.
If the connection isnt kept alive you really can't count on the device coming from the same IP address from one request to another. I guess you could PIN to the source AS (CIDR allocation) and probably not break legitimate clients but that also probably doesn't thwart attackers all that effectively, who can probably get or are on the same carrier network.
As far as PINi
Re: (Score:2)
Also if someone is in a position to mitm your connection, they are generally in a position to originate traffic from the same address you're using anyway.
Re: (Score:1)
The real question is why hasn't a single story about Twitter's downfall been posted on here?
Maybe because Twitter hasn't had a "downfall" yet? The site appears to be functioning as per normal as far as I can see. So perhaps the bluster from some employees that "this site can't run without us" was premature?
If Twitter went down, that would certainly be news. But so far, it all seems to be internal drama amongst ex-employees.
Re: (Score:2)
Re: (Score:2)
He's just downsizing, and correctly so. What does Twitter do that required 7500 employees? It's a web site, a bunch of server, a couple of apps, with some corporate overhead. Bulk of their work is already done. It's not like they're constantly changing the tweet model. Even 4000 workers is way too many. It's not like they have a store in every outlet mall.
So what you're saying is the remaining employees should be able to work normal forty hour weeks, and we've all just mass hallucinated the new boss asking for long hours and high intensity.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
One, this story is about MS and tokens, so you are probably in the wrong thread. Two, since I don't get a 404 when I go to twitter.com, I don't see the tech angle. Now if Elon slashing costs, and running a death march to recoup the money invested/promised to his creditors wasn't already be
Re: (Score:2)
As Musk has said, using the term pedo guy means the person's creepy or odd. Clearly that fits him.
As for the rest, if you don't see the dumpster fire that is Twitter as thousands of people [cbsnews.com] were fired without notice [yahoo.com], Musk firing people because they corrected him [theverge.com], and people leaving in droves because of the ultimatum on one of the well-known anti-social media sites, clearly you're being deliberately daft.
Re:This is a big deal (Score:4, Interesting)
Site up/down is not the only indicator of a technology-related issue. How about, new CEO demands engineers click a button on a webpage to agree to work 80-hours-per-week or they're fired? That's not tech newsworthy? After hundreds refuse to click the button and are fired, the CEO sends an email asking all programmers remaining show up at HQ with code samples in hand at 2:00 today?
An article on Slashdot might have garnered comments from actual Twitter engineers relating their experiences. Might have generated some new traffic to the site. Instead, there have been no less than 20 articles about FTX in the past 2 weeks.
Re: (Score:2)
Two, since I don't get a 404 when I go to twitter.com, I don't see the tech angle.
We're well off topic now, but holy crap, anyone working in tech is aware of that old fable, the unpatched server with the greatest uptime.
You know, the one with the rabbit and the turtle, and the turtle can't find any documentation and the rabbit keeps shitting rancid tech debt all over?
And the moral of the story was "up" isn't everything or something like that.
Re: (Score:3)
And yet, MFA is recommended by auditors. (Score:2)
Re: (Score:3)
Auditors are checkbox tickers.
They check you comply with either law or best practices. Reality often matches well with those two, but sometimes doesn't.
I have pretty much the same experience as you.
Re: (Score:2)
I just feel management just wanted the audit to then follow the recommendations and cover themselves if something happens and blame the auditors.
It just grinces my teeth knowing how much we now need to spend on an MFA authentication on a monthly basis on top of the fee that was given to these auditors.
Re: (Score:2)
And in practice, auditors don't even ensure that you are complying with the law. They just kind of glance over and see if anything looks funny.
Re: (Score:2)
Yep! Where I work, the cyber-insurance provider demanded we reduce our MFA token expiry time to no more than 1 day maximum. (Previously, if our users check-marked the option to remember their login, it would stop popping up MFA prompts for up to 45 days.)
I'm not saying 45 days wasn't too long ... but 1 day is terrible by comparison. We already have multiple domains so anyone accessing a resource on one domain while last using another gets a new MFA prompt, anyway. For some of our users with multiple devices
Re:And yet, MFA is recommended by auditors. (Score:5, Insightful)
Most security features are flawed in one way or another, nothing is perfect...
Implementing MFA, especially if doing a good job of the implementation will generally improve your security and not weaken it in any way.
The problem when people blindly follow and think something is perfect. Pretty much everything is flawed in some way, but so long as you understand the risks you can take steps to mitigate them.
Thinking that MFA (or anything else) is a magic bullet, and that you can simply turn it on and never have to worry about security again is the biggest vulnerability of all.
Re: (Score:2)
Most security features are flawed in one way or another, nothing is perfect...
Implementing MFA, especially if doing a good job of the implementation will generally improve your security and not weaken it in any way.
The problem when people blindly follow and think something is perfect. Pretty much everything is flawed in some way, but so long as you understand the risks you can take steps to mitigate them.
Thinking that MFA (or anything else) is a magic bullet, and that you can simply turn it on and never have to worry about security again is the biggest vulnerability of all.
There are certainly a huge array of threats that secure authentication schemes don't address: Inside jobs, $5 wrenches, cracked systems...etc.
Yet when it comes to Microsoft (and many others) you can be assured you never have to go that far to break into a system as authentication system is guaranteed to be designed in laughably insecure manner where the problems with the implementations are well known and well understood.
The issue here isn't magic bullets it's basic competence.
Re: (Score:1)
You're right. Do away with MFA. Then all they have to do is get your password. No MFA required. Like it's the 1990s.
Seriously, did you think this through? It's another step. A step that would keep the vast majority of people out. Now if you want to break in you also have to be good enough to steal a MFA token. Password is like the guard that lets you onto the property with a car pass. MFA is like another guard at the building entrance.
Re: (Score:2)
You're right. Do away with MFA. Then all they have to do is get your password. No MFA required. Like it's the 1990s.
Seriously, did you think this through? It's another step. A step that would keep the vast majority of people out. Now if you want to break in you also have to be good enough to steal a MFA token. Password is like the guard that lets you onto the property with a car pass. MFA is like another guard at the building entrance.
Did I actually say I didn't want security beyond password protection? Is that really what your powers of deduction concluded from what I wrote?
I do want protection, it just clearly isn't MFA as it's can be compromised by people with limited skills.
Auditors should be recommanding something that isn't just the current trendy fad and be at least able to propose something else as a secondary option.
Re: (Score:1)
You're right. Do away with MFA. Then all they have to do is get your password. No MFA required. Like it's the 1990s.
Seriously, did you think this through? It's another step. A step that would keep the vast majority of people out. Now if you want to break in you also have to be good enough to steal a MFA token. Password is like the guard that lets you onto the property with a car pass. MFA is like another guard at the building entrance.
Did I actually say I didn't want security beyond password protection? Is that really what your powers of deduction concluded from what I wrote?
I do want protection, it just clearly isn't MFA as it's can be compromised by people with limited skills.
Auditors should be recommanding something that isn't just the current trendy fad and be at least able to propose something else as a secondary option.
I didn't misunderstand anything. Looking back - you started this out by saying you were arguing with auditors to not use MFA. You said you pointed out articles.. and so on. They insisted on using it as they have to. If you're not using MFA as you said you were arguing against, it doesn't take a Sherlock Holmes to figure out you're using just a password. So my deductive reasoning is very firmly based on what you said. That's why I asked - is that really what you want? Password only? I was hoping you had some
MFA is just shifting... (Score:1)
Nice (Score:1)
That's too complicated (Score:2)
That's too complicated, there's a much easier way to breach MFA: simply keep trying to login. Eventually, your victim will either tap approve to make the annoying prompt go away, or will inadvertently approve your request while trying to approve their own legitimate one.
Re: (Score:1)
Yes typing over a code is more hassle, but at least you will be left alone at night when you are trying to sleep.
So this is about stealing a bearer token? (Score:1)
It's what I do everyday just to do my job...
Microsoft is embarrasing (Score:2)
The problem is not token theft it is the fact their defective by design authentication schemes are incapable of preventing verifier impersonation.
When Microsoft started requiring MFA while concurrently "deprecating" secure certificate based solutions I said exactly this would happen.
There is an easy solution to this (Score:2)
Yet, here we are, and Microsoft as usual is able to demonstrate why it made those recommendations so many decades ago.
tied to device (Score:1)