SolarWinds hackers have a clever way to bypass multi-factor authentication
Hackers who hit SolarWinds compromised a think tank three separate times. …
reader comments
78 with 61 posters participating
The hackers behind the supply chain attack that compromised public and private organizations have devised a clever way to bypass multi-factor-authentication systems protecting the networks they target.
Researchers from security firm Volexity said on Monday that it had encountered the same attackers in late 2019 and early 2020 as they penetrated deep inside of a think tank organization no fewer than three times.
During one of the intrusions, Volexity researchers noticed the hackers using a novel technique to bypass MFA protections provided by Duo. After having gained administrator privileges on the infected network, the hackers used those unfettered rights to steal a Duo secret known as an akey from a server running Outlook Web App, which enterprises use to provide account authentication for various network services.
The hackers then used the akey to generate a cookie, so they’d have it ready when someone with the right username and password would need it when taking over an account. Volexity refers to the state-sponsored hacker group as Dark Halo. Researchers Damien Cash, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster wrote:
Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. This was unexpected for a few reasons, not least of which was the targeted mailbox was protected by MFA. Logs from the Exchange server showed that the attacker provided username and password authentication like normal but were not challenged for a second factor through Duo. The logs from the
Continue reading – Article source
Similar Posts: