Thought leadership. threat analysis, news and alerts.
Why Single Factor Authentication Isn’t Enough to Protect Your Organization’s Network
Many of today’s cyberattacks have been successful, not because of advanced technology but because of one often ignored fact: the use of single factor authentication.
What Is Single Factor Authentication?
Single factor authentication is a cybersecurity measure that relies on the use of a username and password pair. While single factor authentication is commonly used in emails, this cybersecurity measure is also common as a perceived defensive measure in protecting endpoints – devices such as desktops and laptops that connect to a computer network and communicates back and forth with the network resources.
RDP Brute-Force Attacks
Single factor authentication has surprisingly been used as a defensive measure in protecting RDP, short for remote desktop protocol. RDP, a proprietary protocol developed by Microsoft, provides users with a graphical interface to connect to another computer over a network connection. In brute-forcing an RDP, a malicious actor attempts to sign in to an RDP with an administrator account by effectively guessing the correct username and password combination through a trial-and-error method. By successfully guessing the correct username and password combination, a malicious actor can gain access to a target computer and conduct further malicious activities such as stealing data, drop a ransomware or used the compromised computer for cryptocurrency mining.
In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks" published in December 2019, Microsoft Defender ATP Research Team reported that out of nearly 45,000 computers that had both RDP public IP connections and at least one network failed sign-in, the team found that, on average, several hundred computers per day had high probability of experiencing one or more RDP brute force attack attempts.
API Credential Stuffing Attacks
Threat actors also exploit the use of a single factor authentication in gaining access to the victims’ IT infrastructure such as cloud server through credential stuffing attacks. In a credential stuffing attack, an attacker uses the single factor authentication credentials stolen from other data breaches.
The difference between credential stuffing attack and brute force attack is that in credential stuffing attack, guesses are based on the stolen usernames and passwords, while in brute force attack, guesses have no bases at all, with some attempts using characters at random.
In the past 10 years, billions of username and password combinations have been stolen from different individuals and organizations around the globe. These stolen usernames and passwords are publicly made available online, while others are sold online on the dark web.
Haveibeenpwned, a site that allows internet users to check whether their personal data has been compromised by data breaches has within its records millions of user accounts. In April 2019, the group known as “GnosticPlayers” released online breached records of nearly one billion users, including usernames and passwords.
While the success rate of credential stuffing attacks is only about 0.1% – which means that for every 1,000 attempts, roughly only one will succeed, the sheer volume of stolen single authentication credentials makes credential stuffing worth it. The success rate of 0.1%, for instance, for one million attempts could lead to nearly 1,000 successful cracked accounts.
APIs, short for application programming interfaces, are favourite targets by malicious actors in their credential stuffing attacks. An API allows two systems to communicate with one another. APIs allow easy access to a third-party platform, for instance, cloud storage. From December 2017 to November 2019, Akamai reported that it observed nearly 85.5 billion credential stuffing attacks across its customer base. Out of the 85.5 billion credential stuffing attacks, Akamai said 16.5 billion of these attacks were directed against hostnames that were clearly identified as API endpoints – referring to one end of a communication channel such as a URL of a server.
Brute force attackers and credential stuffing attackers are unstoppable because systems allow users to guess as many username and password combinations without limit. While some mitigate these two types of attacks through throttling, attackers bypass throttling by staging a low and slow approach.
Akamai reported that credential stuffing attackers take advantage of the unlimited guesses by guessing tens of thousands of credentials in minutes. Microsoft Defender ATP Research Team, meanwhile, reported that RDP brute force attacks often last for 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.
Cybercriminals are able to launch millions of these brute force and credential stuffing attacks in just a short span of time through the use of internet bots – referring to software applications that run automated tasks over the internet. To automate brute force or credential stuffing attacks, botnets are used by attackers. Botnets refer to a group of hijacked computers and controlled by cybercriminals to conduct malicious activities such as brute force attacks, credential stuffing attacks and distributed denial-of-service (DDoS) attacks.
By utilizing botnets, attackers are able to launch several login attempts simultaneously. The use of botnets or group of hijacked computers makes it appear that the login attempts come from different computers from different locations. Some botnets hijacked a few thousands and some hijacked millions of computers. The use of botnets bypasses security measures such as banning IP addresses with too many failed logins.
The use of multi-factor authentication effectively blocks brute force and credential stuffing attacks. In multi-factor authentication, aside from the correct username and password combination, a user is asked to provide additional information such as access token, face ID or a fingerprint – generally, things that bots can’t provide.
While we always recommend a multi-factor authentication, in many cases, businesses don’t evaluate basic IT controls and fall victim to cyberattacks.
Connect with us today and our team will evaluate your IT controls to ensure that decision makers understand the business impact and clearly understand what they need to focus on, both long and short-term.
Control Access Before Bad Actors Do
Leaving your door wide open invites bad actors. Like in real life, leaving your organization’s devices, networks or cloud accounts wide open similarly invites malicious actors. Controlling access to these devices, networks or cloud accounts controls the threat both from insiders and outsiders.
Misconfiguration, in general, is the configuration of digital system’s settings in such a way that the system behaves contrary to what it’s expected to do. Repercussions resulting in misconfigurations include exposure of sensitive data or could allow attackers to gain privileged access – the ability to perform an action with security consequences.
Misconfiguration happens because these digital systems themselves allow the sharing of data to the public or they allow privileged access. For instance, current cloud service providers allow clients to either configure or set stored data in the cloud to be shared to the public. Server operating systems, meanwhile, can be configured to allow certain individuals to have privileged access. Misconfiguration, therefore, is an internal problem that originates from within the IT infrastructure of any organization.
In recent months, security researchers have discovered troves of sensitive data stored in the cloud easily accessible to the general public. Researchers at UpGuardrecently discovered that two partners of Facebook, Mexico-based media company Cultura Colectiva and the now defunct “At the Pool” misconfigured their cloud accounts, exposing a total of hundreds of millions of Facebook customer data. According to UpGuard, the exposed customer data were each stored in Cultura Colectiva and At the Pool’s respective Amazon Simple Storage Service (Amazon S3) bucket configured to allow public download of files.
“Amazon customers own and fully control their data,” Amazon said in response to the exposure of millions of Facebook customer data. “While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content. As is the case on premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting access as intended.”
In February 2018, researchers at RedLockdiscovered that malicious actors accessed Tesla’s Kubernetes – a tool for managing a network of virtual machines – console as this wasn’t password protected. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry,” RedLock researchers said. As a result of the data exposure, the malicious actors performed cryptocurrency mining from within one of Tesla’s Kubernetes pods.
According to Gartner, through 2020, 99% of firewall breaches will be caused, not by flaws but by simple firewall misconfigurations. A firewall is a network security device that monitors outgoing and incoming network traffic and decides whether to block or allow certain traffic based on a defined set of security rules. Firewalls are often configured with an open policy, that is, allowing from any source to any destination as system administrators at the outset don’t know what they want to block or allow, and never get around changing this configuration, leaving the network exposed to attackers.
A case in point in the value of effective firewall configuration is the 2017 case in which a malware infiltrated the North Carolina transmission plant’s computer networkvia email. The malware spread through the plant’s network, stopping production as users were locked out from their computers. According to the plant’s information technology manager, while data on some computers were lost, the malware was blocked by a firewall when it tried to exit the plant’s network.
Another ransomware incident in 2017, this time in the Northern Lincolnshire and Goole NHS Foundation Trustwas attributed to the “misconfiguration of the firewall”. The ransomware took a Northern Lincolnshire and Goole NHS Foundation Trust hospital offline for four days and resulted in the cancellation of 2,800 patient appointments.
Best Practices & Prevention
Here are some cybersecurity measures in order to prevent or mitigate the effects of misconfigurations:
Apply the Principle of “Least Privilege”
Least privilege is the concept and practice of restricting access to accounts and computing processes only to certain individuals based on their job necessities. Restricting a certain group in your organization from installing and running software application can prevent a malware from infecting your organization's network, for instance, in case this malware is unwittingly downloaded by one of your organization’s staff onto his or her computer workstation.
The Microsoft Vulnerabilities Report 2019, an analysis of Microsoft security updates in 2018 conducted by BeyondTrust, showed that of the 189 critical vulnerabilities discovered last year, 154 or 81% of the vulnerabilities could have been prevented if administrator rights had been removed.
Administrator rights, also known as admin rights, means that a user has privileges to perform virtually all functions within an operating system on a computer. These privileges include the installation of software and hardware, installation of updates and configuring or changing system settings.
Regularly Update Firewall Configuration
Regularly update your organization’s firewall to block data from certain locations, applications or ports, while at the same time allowing certain relevant and necessary data through.
Monitor for Suspicious User Behavior
Another way to prevent or mitigate the effects of misconfiguration is by monitoring suspicious user behavior. In monitoring suspicious user behavior, your organization needs to have a baseline normal user data. From this baseline data, suspicious behavior can then be detected, such as geolocation-based anomalies, time-based anomalies and event-based anomalies.
The best way to evaluate your current access controls is to perform an independent IT audit. Most IT and business executives are surprised by the results and are able to take an immediate action moving toward better security controls.
Reduce the IT risks today by speaking with one of our cybersecurity experts. Connect with ustoday.
Steve E. Driz, I.S.P., ITCP