Microsoft’s multi-factor authentication has a vulnerability that allows hackers from Russia to exploit to gain access to organizations’ private networks.
According to TheHackerNews, cybersecurity firm Mandiant has reported a trend of hackers exploiting multi-factor authentication (MFA) to gain access to accounts inactive Microsoft
Mandiant mentions that the Russian group APT29 – also known as Cozy Bear – exploited the self-registration process to apply MFA to Microsoft Azure Active Directory to take control of Microsoft 365 and other accounts.
Often when organizations first implement MFA, many platforms allow users to register their MFA device – usually a smartphone – at the next login. This process is effective to provide multiple users who can use multi-factor authentication to secure their accounts.
But the researchers point out that without additional verification around the MFA registration process, anyone who knows an account’s username and password can set up multi-factor authentication for that account, as long as they were the first to do it.
The team said that the APT29 organization carried out a password detection attack against an email list. With accounts created but not in use, the group gained access to the organization’s VPN infrastructure. Mandiant did not disclose the victim or purpose of the attack, although APT29 is known to be a hacker targeting the US, NATO, and allied countries.
To avoid falling victim, the researchers recommend that organizations ensure all active accounts have at least one MFA device registered. At the same time, they need to add additional verification to the MFA application process.
Microsoft recently implemented a feature that allows organizations to enforce MFA device registration controls. Support can issue a temporary Access Card to an employee upon first joining or loss of an MFA device. This card can be used for a limited time to sign in and register a new MFA device.