Use multifactor authentication and be protected from ransomware—at least that’s what dozens of cybersecurity experts and the government advised. Even the Cybersecurity and Infrastructure Security Agency (CISA) states on its website: “MFA increases security because even if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space, computing device, network, or database.”
Could CISA and others be wrong about MFA and ransomware? Earlier in 2022, CISA and the FBI released a joint cybersecurity advisory warning about MFA. State-sponsored Russian threat actors exploited a flaw in MFA protocols, taking “advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network.”
What was once considered a best practice to defend against ransomware is suddenly an attack vector.
“It is important for companies to understand that they must play a more active role in their own cybersecurity defense. With this MFA vulnerability, it proves that even the most secure-seeming security methods will not stop attackers, especially those sponsored by the Russian state,” said Julia O’Toole, CEO and founder of MyCena, in a formal statement.
Digital Access Was Always Flawed
“The flaws in MFA actually stem from an earlier design flaw,” O’Toole explained in an email interview. “This happened when we moved from the physical to the digital world and people started mixing identity and access.”
Consider how we gain access to physical spaces. To enter a building, we use a key or a passcode that was provided to us by a person who was able to confirm our identity with a photo ID card, the correct paperwork or simply based on personal knowledge.
The digital world lost those physical reference points and yet, the identity trust level increased. Businesses dropped the stringent requirements needed in the physical world and allowed their employees (and customers) to use their identities for access; users make their own keys or passwords to ‘open the doors’ of their network, systems and data. The end result is loss of control and visibility of corporate networks, leading to all sorts of cybersecurity incidents.
And, of course, the bad guys took advantage.
“When passwords are compromised, MFA turns out to be the first layer of protection; used alone, it is easy exploited and gives little security,” said O’Toole.
CISA and the FBI warned of the incident mentioned earlier, but there were more to follow. In January 2022, the hacking group Lapsus$ breached Okta, by simply sending repeated MFA approval requests to employees’ phones at third-party support provider Sitel in the early hours of the morning. The requests were approved because people wanted to get back to sleep.
Moving Beyond MFA
It’s going to be tough to break the MFA habit, especially since many organizations have finally trained their employees on the importance of adding that protective layer. But it is no longer enough to think that MFA is a foolproof method to keep networks safe from a ransomware attack.
If the government is warning of a flaw being exploited, it is because the cybercriminals are already way ahead—it’s time to move beyond reliance on MFA.
“The best option is to fix the access control problem at the design level,” said O’Toole. Technology that distributes strong and unique encrypted passwords to every employee for every system is one method to consider.
“People don’t know their passwords as they remain encrypted from creation, distribution, storage and use to expiry. As organizations control and secure their access from end to end, they eliminate the risks of human error, password fraud and password phishing,” said O’Toole.
Having access segmentation also gives companies cyber-resilience. “At the moment, from a compromised initial password, criminals can use lateral movement and privilege escalation to take over the network, extract and then encrypt files and launch a ransomware attack,” said O’Toole.
By fixing the design flaw in MFA, you eliminate the single access or single point of failure. “As individual passwords are only used when needed, in case of a supply chain attack, only one system is exposed while the others stay safe.”
Despite its warning, CISA still recommends MFA as a cybersecurity layer, but the recommendation comes with a caveat: “Before implementing, organizations should review configuration policies to protect against ‘fail open’ and re-enrollment scenarios.”
Ransomware attacks are getting worse, and news of these MFA flaws will only make protecting against ransomware more difficult. But it’s not impossible if cybersecurity teams consider different approaches—preferably those that verify user identity without the need for phones and fobs and requests for access that arrive in the middle of the night.