Hackers who broke into ConectSUS use an old trick to circumvent authentication – Antivirus and Security – Tecnoblog

Recent hacking attacks on governments and companies leave many questions in the air. After all, how do they do it? A technique called MFA bombing is apparently part of the strategy. It is not new, but it has been used by groups such as Lapsus $which was behind the actions against the Connect YOURa Microsoft it’s at Nvidia. The trick exploits users’ weaknesses to gain authorization and enter systems.

Hacker using PC
Hacker (Image: Kevin Horvat / Unsplash)

MFA is the acronym for multi-factor authentication, or multi-factor authentication. This is the name given to the extra protection that some services and systems offer.

It is similar to two-factor authentication or two-step verification, but can go further and require three or more steps.

So it’s not enough to know username and password — you need at least one extra factor to get in.

This factor can be an SMS with a password, a code generated by an application such as Google Authenticator, a notification for the user to authorize, a biometric fingerprint or face verification, or a physical key.

A phrase often repeated in information security is that the user is the weakest link in any system. And he is precisely the target of MFA bombing.

Bomb until accepted

MFA bombing focuses on notification. The idea is, as the name suggests, to bombard the user with requests until he accepts.

Hackers even choose times when he may be most vulnerable — for example, sending hundreds of requests at dawn, when the person is sleepy and wants to sleep.

according to Ars Technica, there are more subtle ways. One of them is to send one or two requests a day. This draws less attention, but still has a good chance of getting the user to accept.

Another is to call the target and impersonate the company saying that the employee needs to authorize the order.

One of the sources heard by the report of the Ars Technica says that Lapsus$ hackers have been using the technique quite successfully.

However, they weren’t the ones who invented the method and shouldn’t take credit for it, which has been around for about two years.

The group has already attacked Microsoft, Nvidia and ConectSUS.

More secure pattern is also susceptible to attacks

As you may know, nothing in this life is 100% secure, and that includes multi-factor authentication.

There is a more secure standard called FIDO2. It was created by a consortium of companies and aims to balance security and ease of use.

One of the differences is that it is tied to the machine someone is using to access a system. Therefore, it is not possible to use one device to authorize another.

FIDO2 is relatively new and has therefore been adopted by few companies.

If companies still allow less secure forms of authentication along with the new standard, that in itself becomes a point of vulnerability.

Even so, some hacker groups have already managed to break into systems that only offer MFA in the FIDO2 standard.

The Russian hacker group Nobelium, responsible for the SolarWinds attack, managed to circumvent the authentication. It wasn’t easy: they had to compromise Active Directory, a highly secure database tool.

Active Directory is used by network administrators to create, delete or modify user accounts, in addition to giving them the necessary privileges to access certain resources. If he is hacked, he has nothing to save.

It should be noted that any two-factor authentication, no matter how bad, is better than nothing.

Passwords sent by SMS are extremely flawed and problematic, especially when considering SIM swap scams.

However, if this is the only option available, don’t think twice: use it.

Even so, be warned. It’s not enough just to have multi-factor authentication — everyone in the company needs to know how to use it and what risks they are taking.

With information: Ars Technica.

Leave a Comment