To MFA or Not To MFA: How Multi-factor Authentication Saves the SMB

  • Credential Theft: Attackers exploit weak or reused passwords to gain access to accounts without MFA. This can be done through brute forcing, password spraying, or credential stuffing attacks.
  • Session Hijacking: Attackers steal session tokens to bypass MFA. This can be done through adversary-in-the-middle (AiTM) attacks or by obtaining tokens from breaches and credential dumps.

Subject: To MFA or Not To MFA: How Multi-factor Authentication Saves the SMB

Tactics: TA0006 Credential Access, TA0001 Initial Access

Technique: T1212 Exploitation for Credential Access, T1003 OS Credential Dumping, T1078 Valid Accounts

Procedure:

  • Credential Theft: Attackers exploit weak or reused passwords to gain access to accounts without MFA. This can be done through brute forcing, password spraying, or credential stuffing attacks.
  • Session Hijacking: Attackers steal session tokens to bypass MFA. This can be done through adversary-in-the-middle (AiTM) attacks or by obtaining tokens from breaches and credential dumps.

Vulnerability: EAV0003 When adversaries exploit a trusted relationship, such as using an account to access or move in the environment, they are vulnerable to triggering tripwires or engaging in anomalous behavior.

Engagement Opportunity:

  • Honeypots: Set up honeypots with weak or common passwords to attract attackers and observe their TTPs.
  • Decoy Tokens: Deploy decoy session tokens in fake user accounts to lure attackers and analyze their methods for token theft. 
  • Adaptive MFA: Implement adaptive MFA that adjusts based on user behavior and risk factors to detect suspicious login attempts.

Threat Actor: Cybercriminals targeting Small and Medium Businesses (SMBs).

Threat Objective:

Account takeover for financial gain, data theft, or to launch further attacks.

Deception Opportunity:

  • Fake Payroll Systems: Create a fake payroll system with realistic-looking data to deceive attackers and gather information about their tools and techniques.   
  • Decoy Financial Data: Plant decoy financial data in fake accounts to lure attackers and track their exfiltration methods.   
  • Misinformation: Spread misinformation about internal systems and security measures to confuse attackers and deter further attacks.

Sensor Data Placement: User-Mode

Observable Level: Core to Pre-Existing Tool

Scoring Rationale:

  • Sensor Data Placement: Application, User-Mode
  • Observable Level:
    • Credential Theft: Core to Pre-Existing Tool (for password attacks)   
    • Session Hijacking: Core to Adversary-Brought Tool (for AiTM toolkits)   
  • Scoring Rationale: Password attacks often rely on pre-existing tools and operating system features, while session hijacking typically involves adversary-brought tools like Evilginx. Monitoring for both types of activity is crucial for detecting account takeovers.

Link to Report: https://www.huntress.com/blog/to-mfa-or-not-to-mfa-how-multi-factor-authentication-saves-the-smb

Link to Report II.:

Additional Comments:

The report highlights the importance of MFA in raising the barrier to entry for attackers targeting SMBs. It also emphasizes the need for user awareness and endpoint hardening to mitigate credential stealers.

Possible elements: Embedded Honeytokens

MSG (Pseudocode): 

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# Example: SMB Account Takeover

[1]: Initial Access - T1078 - Exploit weak or reused passwords (Core to Pre-Existing Tool)
[2]: Credential Access - T1003 - Use credential stealer malware (Core to Adversary-Brought Tool)
[3]: Initial Access - T1078 - Use stolen session tokens (Core to Adversary-Brought Tool)
[4]: Impact - T1486 - Deploy ransomware (Core to Adversary-Brought Tool)

1 --> 4 (Lack of User Awareness)
2 --> 1 (Unpatched Vulnerability)
2 --> 3 (Misconfigured MFA)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# Example: SMB Account Takeover Pseudocode

function Initial_Access_T1078(target_account):
# Attempt brute force or password spraying attack
if MFA not enabled:
return account_access
else:
return no_access

function Credential_Access_T1003(target_endpoint):
# Deploy credential stealer malware
# Scrape credentials from memory and disk
return stolen_credentials

function Initial_Access_T1078(stolen_session_token):
# Inject stolen session token into browser
return account_access

function Impact_T1486(account_access):
# Deploy ransomware
# Encrypt sensitive data
return encrypted_data

Leave a Reply