A growing incidence of multi factor authentication (MFA) compromises is dominating the threatscape. 

The recent breaches at Cisco and Twilio were part of a large phishing campaign that resulted in close to 10,000 credentials at 130 organizations being compromised. Another noteworthy MFA attack was the recent adversary-in-the-middle (AiTM) compromise at Microsoft, impacting over 10,000 organizations. We’re also tracking the persistent and growing challenges posed by ransomware and nation-state campaigns.

Sign-up for our Threat Intel update to get this monthly update straight to your inbox.

• The use of MFA is an essential security control but has been over-hyped as providing fail-safe protection.
• Social engineering using phishing for credential theft is central to recent MFA compromises.
• Phishing attacks are escalating month over month to record highs.
• MFA bypass attacks targeting organizations that use Microsoft 365 are on the rise.
• ATO attacks are increasing and disproportionately targeting the financial sector.
• Ransomware attacks are increasing and are targeting the industrial sector.
• The threat posed by nation-state cyber campaigns is expected to persist and increase as geopolitical tensions escalate.

The cost of a data breach is now $4.35m per incident. For healthcare that figure rises to $10.1m.

Phishing attacks are the costliest form of a breach coming in at $4.91m.

ATO attacks have increased by 307% in the last 2 years, with ATO related losses increasing by 90% in 2021 alone.

Phishing attacks escalated to over 1 million attacks in Q1 2022 – a new record.

Credential theft campaigns that resulted in the Cisco and Twilio breaches are part of a  phishing campaign that made use of what has been dubbed the “oktapus phishing kit.” This phishing campaign netted the Okta login credentials of almost 10k users at 130 organizations – mostly located in the US. Victims were targeted with a SMS phishing campaign linked to a malicious site that captured Okta login credentials and 2FA codes. The credentials were then used to gain access to the corporate networks of the affected companies via VPNs and remote devices.

The recent Microsoft 365 MFA related compromises were, according to Microsoft, attributed to the theft of a significant amount of login-in credentials through a large-scale phishing campaign. Using the compromised credentials, threat actors were able to hijack users’ already authenticated sign-in sessions. The threat actors were then able to access victims’ mailboxes and carry-out business email compromise campaigns against other targets. 

According to Mitiga, the vulnerability inherent in Microsoft’s MFA authentication protocol is at the heart of the compromise. In particular, the lack of regular re-authentication prompts for a user’s session, even when a user is provisioning applications of a sensitive security nature, such as registering a second authenticator application in their Microsoft profile, played a big role in enabling escalation of the compromise. 

This weakness is further demonstrated in the Privilege Identity Management feature of Microsoft’s MFA, enabling admin users to request admin privileges through the PIM  feature only when needed. However Microsoft does not prompt users to reauthenticate for this privilege escalation on the basis that their existing session has already been authenticated. Compounding these vulnerabilities is the fact that there is no-way for customers of Microsoft 365 to override the MFA native features and request additional reauthentication prompts.

According to NCC Group, ransomware attacks are up 47% compared to a month earlier, with the top 3 targeted industry verticals industrials (32%), consumers cyclicals (17%), and technology (14%). 

Lockbit 3.0 and Hiveleaks and BlackBasta are the top 3 trending ransomware groups, with Lazarus Group activity also increasing.

The threat of nation-state cyber campaigns is growing according to CSIS, with 86% of organizations indicating that they have been recently targeted on behalf of a nation-state.

The recent MFA compromise breaches indicate the limitations of this singular security control. This is resulting in an increasing number of successful ATO attacks. 

As threat actors become more sophisticated, adopting a defense-in-depth strategy is essential. One key attribute of hardening your information system against ATO attacks is leveraging machine learning powered behavioral-based cybersecurity like Tessian that is able to detect anomalous behavior as it arises. This includes once an attacker has effectively bypassed security controls such as MFA.

To see how Tessian prevents ATO attacks, and protects against DLP, watch a product overview video or book a demo.

For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn