{"id":41340,"date":"2020-09-15T14:54:33","date_gmt":"2020-09-15T14:54:33","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=ddabfdbdfd399a72da253ed4cf4d81e8"},"modified":"2020-09-15T14:54:33","modified_gmt":"2020-09-15T14:54:33","slug":"mfa-bypass-allows-hackers-to-infiltrate-microsoft-365","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/mfa-bypass-allows-hackers-to-infiltrate-microsoft-365\/","title":{"rendered":"MFA bypass allows hackers to infiltrate Microsoft 365"},"content":{"rendered":"


\n Keumars Afifi-Sabet<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
15 Sep, 2020<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

Critical vulnerabilities in\u00a0multi-factor authentication (MFA) protocols<\/a>\u00a0based on the WS-Trust security standard could allow cyber criminals to access various cloud applications including core Microsoft services.<\/p>\n

Microsoft 365<\/a>\u00a0is the most notable cloud service that can be infiltrated in such a way due to the way the platform\u2019s session login is designed, according to\u00a0Proofpoint<\/a>, with hackers able to gain full access to a target\u2019s account. Information including emails, files, contacts, among other data points would be vulnerable to such an attack.<\/p>\n

This is in addition to the MFA bypass granting access to a host of other cloud services, including production and development environments such as\u00a0Microsoft Azure<\/a>\u00a0as well as Visual Studio.<\/p>\n

<\/p>\n

\nThe flaw lies in the implementation of the WS-Trust specification, an OASIS standard that is used for renewing and validating security tokens and establishing trusted connections. Proofpoint researchers claim that WS-Trust is inherently insecure and that Microsoft\u2019s identity providers implemented the standard with a number of bugs.<\/p>\n

These vulnerabilities can be exploited to allow an attacker, for example, to spoof their IP address to bypass MFA through a simple request header manipulation. Changing the user-agent header, in another example, may also cause the system to misidentify the protocol, and believe it to be using \u2018modern authentication\u2019.\u00a0<\/p>\n

\u201cMost likely, these vulnerabilities have existed for years. We have tested several Identity Provider (IDP) solutions, identified those that were susceptible and resolved the security issues,\u201d Proofpoint said.<\/p>\n

\u201cVulnerabilities require research, but once discovered, they can be exploited in an automated fashion. They are hard to detect and may not even appear on event logs, leaving no trace or hint of their activity. Since MFA as a preventative measure can be bypassed, it becomes necessary to layer additional security measures in the form of account compromise detection and remediation.\u201d<\/p>\n

With MFA becoming an essential and more widely-adopted additional layer of security to reinforce username-and-password logins, cyber criminals are certainly more attracted to identifying and implementing bypasses.<\/p>\n

This is particularly pertinent during the coronavirus crisis, where the\u00a0mass shift to remote and home working<\/a>\u00a0meant critical apps and services were being accessed from insecure locations, with protocols such as MFA in place to bolster cyber security. <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Keumars Afifi-Sabet<\/p>\n

15 Sep, 2020 <\/p>\n

Critical vulnerabilities in\u00a0multi-factor authentication (MFA) protocols\u00a0based on the WS-Trust security standard could allow cyber criminals to access various cloud applications including …<\/p>\n","protected":false},"author":433,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-41340","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/433"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=41340"}],"version-history":[{"count":2,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41340\/revisions"}],"predecessor-version":[{"id":41359,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41340\/revisions\/41359"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=41340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=41340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=41340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}