IT AUDIT & SECURITY
The Best Thing you can do is Implement Two-Factor Authentication: The Worst Thing you can do is Rely on it
Jill Kamperides, IT Security Analyst, OCD Tech
2 July 2020
Passwords are everywhere. In general, you cannot have an account somewhere without also having a password to that account. Your password should be something that you, and only you, know – that way, if a “bad guy” tries to access your account, they will be stopped by not knowing your password. Of course, things do not always work this way. Passwords can be stolen, forgotten, and even cracked or essentially deciphered by the bad guys. We at OCD Tech have a team of penetration testers that try to prevent this. To do so, we put ourselves in the bad guys’ shoes and do what they would do. If we are successful, it means that the bad guys could be as well, so when we find vulnerabilities, we report on and remediate them. We are like hackers, but for the good guys. The OCD Tech team has recently made some observations concerning passwords, phishing, and two-factor authentication – this article discusses how they are intertwined, and how it affects you.
Password-based authentication is inherently weak on its own, even if you have the strongest password ever. Maybe your password is 25 characters and there is no way it could be cracked – if your account is compromised in a data breach, your password is suddenly meaningless. If you have shared that password between multiple accounts, you are in even more trouble. As penetration testers, it is one of the first things we check for, and the bad guys do, too. Two-factor authentication (2FA) was developed as a way to strengthen password-based logins by adding an extra layer of security, and it works really, really well, most of the time. However, during a recent penetration test, the OCD Tech team proved that even two-factor authentication is not the be-all and end-all of user security. It can be bypassed.
It started with reconnaissance of our target, as most real-world attacks will. With the power of open-source intelligence gathering tools, and with search engines at our disposal, we compiled a list of email addresses that would be the foundation of a phishing campaign against our client. Review of the in-scope IP addresses revealed a few different websites that were hosting login pages – we noted Citrix, Outlook, and some others that made potential targets for this campaign. Citrix is a popular software company that provides, among other things, networking services, which includes remote-access applications. Outlook provides access to users’ email inboxes. We decided to start by phishing for credentials to the client’s Outlook Web Application login portal, because if we had success there, we would have gained access to business emails. If a bad guy were to accomplish this, it could be detrimental to a company.
Our client’s instance of Outlook Web App was not protected by 2FA, which also made for an easier starting point. We crafted a phishing email along the lines of, “We’ve had an update. Please login to your account at this link to validate your credentials.” It was prettier than that, of course, and there was some backend work involved, such a setting up a fake login page, but before long we were ready to start. We fired off our phishing email to the list of addresses we had assembled during the recon stage, and then we waited. Ultimately, we received three sets of credentials, which meant that three individual users clicked the link in our phishing email and entered their username and password into our fake login page, thinking it was the company’s real login page. Their credentials came straight to us.
As luck (and Active Directory) would have it, these credentials were also valid on the client’s Citrix web portal, with one caveat – Citrix was protected by two-factor authentication. More specifically, Citrix was protected by a Google One-Time Password (OTP). We decided to phish for it. We set up a new fake login page, a clone of Citrix, and then we emailed only the three users who responded to our first round of phishing, knowing they would be most susceptible to responding again. This method of picking and choosing targets, as opposed to addressing an entire mailing list is known as spear phishing. Our email this time looked something like, “Some users have reported issues accessing Citrix following our update. Please validate your Citrix credentials here to ensure your access is not affected. Remember, this must include your Google OTP.” And we waited.
There are a few problems when it comes to phishing for two-factor authentication:
Number 1— If the target’s 2FA service only generates a code when a real login attempt is made, this strategy will fail since the target is logging in to our fake page and will therefore not generate an alert. Google’s OTP, however, is a rolling code that automatically refreshes every 60 seconds. This code lives on the user’s device and is valid whether they are actively trying to login or not. All we needed was for one of the targeted users to enter their current code into our fake login page. With any other configuration, our attempt at bypassing 2FA would have been significantly more difficult, and likely less successful.
Number 2— The code is time-sensitive! If it is not entered within a very limited window of time, authentication will fail. So, we again waited for a user to enter their credentials on our fake login page. We watched our web server logs, which would provide a live feed of any phished credentials, and we didn’t dare step away from our screens until an hour or so later, after we had gotten three hits. Our hunch was right; the three users who were phished once, were all phished again. The usernames, passwords, and OTPs they provided were all accepted by Citrix. We logged into Citrix using these newly-phished credentials, which allowed us to connect to a server on our client’s internal network. This server was poorly configured, and we discovered that each user was highly privileged. Because of this, we were able to utilize common penetration testing techniques to elevate our privileges to domain admin. If a bad guy were to get this far, they could do anything, ranging from stealing sensitive documents, to encrypting every machine on the network and holding them for ransom. Despite two-factor authentication, we demonstrated complete network compromise for the client, all while being entirely remote.
How can you protect yourself from attacks like this?
The first step is realizing the root of the problem. Although two-factor authentication can leave a lot to be desired in the way of security, this is not the biggest issue. The problem lies with phishing, and your users’ susceptibility to fall for a phishing attack. All it takes is one unaware user to result in network compromise. Phishing can be partially mitigated with a mail filter and robust spam settings, but if one email should slip through, your organization is still vulnerable if your users are not trained in security awareness. The best way to do this is to phish them yourself – familiarize your users with what phishing looks like, train them when they are fooled, and, in the future, they will know what to look for and will know not to click again.
Two-factor authentication, although flawed, is still extremely important. Passwords can be cracked, guessed, or stolen; it happens all the time. Two-factor authentication helps to protect against this; it is one of the best defenses against an attacker trying to break into your account – but its flaws cannot be ignored. Like most things, it is imperfect, and it can be bypassed. This is why you should not rely solely on two-factor authentication to protect you. When you stack your defenses not only with 2FA, but with a staff that will never fall for a phishing email, you stand a far greater chance of withstanding attacks.
Contact OCD Tech if you would like to learn about the security awareness training we offer to help keep your users safe from phishing attacks, and check out our free external web breach assessment to understand what the biggest outside risks are to your organization.