Avatar

Let’s say that, during the middle of a busy day, you receive what looks like a work-related email with a QR code. The email claims to come from a coworker, requesting your help in reviewing a document.  You scan the QR code with your phone and it takes you to what looks like a Microsoft 365 sign-in page. You enter your credentials; however, nothing seems to load.  

Not thinking much of it, and being a busy day, you continue to go about your work. A couple minutes later a notification buzzes your phone. Not picking it up immediately, another notification comes. Then another, and another after that.  

Wondering what’s going on, you grab the phone to find a series of multi-factor authentication (MFA) notifications. You had just attempted to log into Microsoft 365, maybe there was a delay in receiving the MFA notification? You approve one and return to the Microsoft 365 page. The page still hasn’t loaded, so you get back to work and resolve to check it later. 

This is very similar to an attack that Cisco Talos Intelligence discusses in their latest Talos Incident Response (IR) Quarterly Report. In this case the Microsoft 365 sign-in page was fake, set up by threat actors. These attackers used compromised credentials to repeatedly attempt to sign in to the company’s real Microsoft 365 page, triggering the series of MFA notifications—an attack technique known as MFA exhaustion. In the end, some employees who were targeted approved the MFA requests and the attackers gained access to these accounts. 

More than the annoyance of changing your password 

While the use of QR codes is a relatively recent development in phishing, attacks like the one described by Talos have been around for years. Most phishing attacks employ similar social engineering techniques to trick users into turning over their credentials. Phishing is frequently one of the top means of gaining initial access in the Talos Incident Response Quarterly Report.  

Attackers hammering MFA-protected accounts is also a concerning development in the identity threat landscape. But sadly, most successful credential compromise attacks occur with accounts that don’t have MFA enabled.   

According to this quarter’s Talos IR report, using compromised credentials on valid accounts was one of two top initial access vectors. This aligns with findings from Verizon’s 2023 Data Breach Investigations Report, where the use of compromised credentials was the top first-stage attack (initial access) in 44.7% of breaches.  

The silver lining is that this appears to be improving. Early last year, in research published by Oort1, now a part of Cisco, found that 40% of accounts in the average company had weak or no MFA in the second half of 2022. Looking at updated telemetry from February 2024, this number has dropped significantly to 15%. The change has a lot to do with wider understanding of identity protection, but also an increase in awareness thanks to an uptick in attacks that have targeted accounts relying on base credentials alone for protection. 

How credentials are compromised 

Phishing, while one of the most popular methods, isn’t the only way that attackers gather compromised credentials. Attackers often attempt to brute force or password spraying attacks, deploying keyloggers, or dumping credentials. 

These are just a few of the techniques that threat actors use to gather credentials. For a more elaborate explanation, Talos recently published an excellent breakdown of how credentials are stolen and used by threat actors that is worth taking a look at. 

Not all credentials are created equal 

Why might an attacker, who has already gained access to a computer, attempt to gain new credentials?  Simply put, not all credentials are created equal. 

While an attacker can gain a foothold in a network using an ordinary user account, it’s unlikely they’ll be able to further their attacks due to limited permissions. It’s like having a key that unlocks one door, where what you’re really after is the skeleton key that unlocks all the doors.   

That skeleton key would be a high-level access account such as an administrator or system user. Targeting administrators makes sense because their elevated privileges allow an attacker more control of a system. And target them they do. According to Cisco’s telemetry, administrator accounts see three times as many failed logins as a regular user account.  

Another resource threat actors target is credentials for accounts that are no longer in use. These dormant accounts tend to be legacy accounts for older systems, accounts for former users that have not been cleared from the directory, or temporary accounts that are no longer needed. Sometimes the accounts can include more than one of the above options, and even include administrative privileges.  

Dormant accounts are an often-overlooked security issue. According to Cisco’s telemetry, 39% of the total identities within the average organization have had no activity within the last 30 days. This is a 60% increase from 2022.  

Guest accounts are an account type that repeatedly gets overlooked. While a convenient option for temporary, restricted access, these often password-free accounts are frequently left enabled long after they are needed.   

And their use is increasing. In February 2024, almost 11% of identities examined are guest accounts— representing a 233% jump from the 3% reported in 2022. While we can only speculate, it is possible that cloud-adoption and remote work contributed to this rise, as enterprises used temporary accounts to stage new services and applications or enable remote workloads in the short-term. The use of temporary accounts is understandable, but if they’re forgotten or ignored, these shortcuts represent a serious risk.  

Reducing the impact of compromised credentials 

It goes without saying that protecting credentials from being compromised and abused is important. However, eradicating this threat is challenging.   

One of the best ways to defend against these attacks is by using MFA. Simply confirming that a user is who they say they are—by checking on another device or communication form—can go a long way towards preventing compromised credentials from being used.  

Duo MFA, now available as part of Cisco User Protection Suite, provides robust security that is flexible for users, but rigid against the use of compromised credentials. The interface provides a simple and fast, non-disruptive authentication experience, helping users focus their time on what matters most. 

MFA is not a silver bullet 

No doubt, deploying MFA can help in prevent compromised credential abuse. However, it isn’t a silver bullet. There are a few ways that threat actors can sidestep MFA.  

Some MFA forms, such as those that use SMS, can be manipulated by threat actors. In these cases—frequently referred to as Adversary in the Middle (AitM) attacks—the attacker intercepts the MFA SMS, either through social engineering or by compromising the mobile device. The attacker can then input the MFA SMS when prompted and gain access to the targeted account. 

The good news here is that there has been a drop in the use of SMS as a second factor. In 2022, 20% of logins leveraged SMS-based authentication. As of February 2024, this number has declined 66%, to just 6.6% of authentications. That is a tremendous change, and a positive one at that. In addition to AitM attacks, SIM swapping attacks have all but rendered SMS-based authentication checks useless.  

This is backed up by research coming from the 2024 Duo Trusted Access Report, where using SMS texts and phone calls as a second factor has dropped to 4.9% of authentications, compared to 22% in 2022. 

Going passwordless 

If you really want to reduce your reliance on passwords when confirming credentials, another option is Duo’s passwordless authentication. Passwordless authentication is a group of identity verification methods that don’t rely on passwords at all. Biometrics, security keys, and passcodes from authenticator apps can all be used for passwordless authentication. 

Based on the numbers, passwordless is the new trend. In 2022, phishing resistant authentication methods such as passwordless accounted for less than 2% of logins. However, in 2024, Cisco’s telemetry shows this number is climbing, currently representing 20%, or nearly a 10x increase. This is great news, but still highlights a critical point—80% are still not using strong MFA.  

Protecting MFA from threat actors 

Recall the MFA exhaustion attack Talos described in their latest IR report.  

Talos’ example does highlight how there are select circumstances where attackers can still get past MFA. A distracted or frustrated user may simply accept a notification just to silence the application. In this case, user education can go a long way towards preventing these attacks from succeeding, but there is more that can be done.  

Cisco has recently introduced the first-of-its-kind Cisco Identity Intelligence to help protect against identity-based attacks like these. This groundbreaking technology can detect unusual identity patterns, based on behavior, when combined with Duo.  

To illustrate, let’s look at when the threat actor begins hammering the login with the compromised credentials. Identity Intelligence can recognize anomalies such as MFA floods, as well as the moment the user gets annoyed and accepts the request.  

It can also pinpoint anomalies such as a user signing in from an unmanaged device in a location that would be impossible for them to reach—say Peculiar, Missouri—given they had just logged in an hour ago from Normal, Illinois.  

Cisco Identity Intelligence will directly address the visibility gap between authenticated identities and trusted access by a data-driven and AI-first approach. Cisco Identity Intelligence is a multi-sourced, vendor agnostic, investment-preserving solution that works across the existing identity stack and brings together authentication and access insights to deliver a very strong security defense.  

Cisco customers interested in signing up for the public preview can fill out a request to join today.  


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn



Authors

Ben Nahorney

Threat Intelligence Analyst

Cisco Security