Cisco’s Talos security intelligence team recently shared details on how an employee’s account was breached and their data was compromised. The adversary in this case has been tracked back to an initial access broker (IAB) with ties to different ransomware and cybercrime groups such as Lapsus$, UNC2447 and Yanluowang.
Kudos to Cisco for sharing the details so that we can all learn from this breach as a security community. Once again, the root of the attack centered around stolen credentials and to coerce the employee into approving a push notification to bypass existing MFA mechanisms.
What stands out about this breach is the lengths the attackers were willing to go to and the different types of methods they used to target the employee’s account. Attackers employed methods ranging from stealing credentials of the employee’s personal account to MFA fatigue and finally making multiple passes at different social engineering or vishing attempts.
With all of these methods in play for potential IABs or other threat actors, the question remains: How can organizations help their user community identify these attacks, and what can organizations do to proactively to minimize the impact?
The First Lesson of the Cisco Data Breach: MFA Matters
Let’s start by focusing on MFA. MFA, or multi-factor authentication, is one of the best tools available for minimizing the risks associated with compromised credentials. MFA comes in a variety of forms – most commonly, SMS texts, phone calls, push notifications, and phishing-resistant methods such as PIV and FIDO2.
Detractors of MFA policies may point to this incident, where MFA apparently failed, as evidence that MFA does not work. We disagree. Having any form of MFA is better than not having MFA at all, as illustrated by this breach. In a hypothetic world where Cisco was not using MFA, the attackers could have easily gained access to Cisco’s systems by simply typing in the compromised username and password they’d acquired.
In our real world, Cisco had implemented MFA in the form of a push notification system. This forced the attackers to do extra work, in the form of a vishing campaign, to gain access to the account.
Take away: use MFA.
The Second Lesson of the Cisco Data Breach
Train Employees to Handle MFA Fatigue and Vishing
Push notifications, or “push apps,” are a form of MFA where the account holder must authorize access by confirming the authentication attempt on another device – usually a mobile app on a cell phone in their possession.
There are two well-known attack vectors for push apps. The first is push app fatigue, where the victim is inundated with push app requests initiated by the attacker. The attacker will continue to trigger the push app requests until the victim authorizes the push, either to make it go away or thinking that the push app requests were sent in error. This is a subtype of “MFA fatigue,” which similarly relies on overwhelming an MFA system so that the victim cannot work or use their devices, and therefore gives in to authorizing the request.
The second attack vector involves vishing (short for “voice phishing,”) where the attacker uses social engineering tactics, such as posing as a help desk person to persuade the victim to authorize the push request in what will seem like a legitimate setting.
For both attack vectors, education is key, and mitigating these threats requires an alert victim who can identify that something is out of place and knows how to report it. Additionally, organizations should employ best practices by limiting where and how push apps can be installed and registered with a user’s account and should look for push notification apps that can help limit the risk of an MFA fatigue scenario.
Take away: train your users and employ good practices to reduce the risk of falling prey to MFA fatigue and vishing.
The Third Lesson of the Cisco Data Breach: Passwords Remain Vulnerable
At the root of this attack is one common factor that comes up again and again: a compromised password. For organizations to truly move past these types of attacks, phishing-resistant methods of authentication that dramatically reduce the importance of passwords need to be employed. These protect the organization and keep your user community from having to play security cop.
With the advancement in different attack techniques, anyone in your organization could be a victim. Phishing-resistant authentication can help by alleviating the need to rely on passwords and other shared secrets and can eliminate more phishable forms of MFA, such as push apps. This is a core principle as outlined by CISA, and it is a cornerstone of any Zero Trust deployment.
Take away: adopt phishing-resistant authentication to minimize the risk of compromised passwords.
At Axiad, we can help your organization implement technology that addresses all the lessons learned by this breach. Axiad Cloud provides key features such as phishing-resistant authentication and enhanced push app implementations as a SaaS offering. We aim to get your organization up and running with secure, strong authentication as quickly and easily as possible.
Our Axiad ID app was designed with scenarios such as MFA fatigue and interception in mind. We provide enhanced protection from MFA fatigue attacks by utilizing passwordless options for initiating a push request and provide extra security so that organizations can set rules to control where and when push apps can be registered to users.
If you’d like to try Axiad to see how we can help you with phishing-resistant authentication, give us a try for 30 days <https://www.axiad.com/try-axiad>.