The hackers behind the supply chain attack that compromised public and private organizations have devised a clever way to bypass multi-factor authentication systems that protect the networks they are targeting.
Researchers at security firm Volexity said on Monday that in late 2019 and early 2020 they encountered the same attackers who broke into a think tank organization no fewer than three times.
During one of the interventions, Volexity researchers noticed that the hackers were using a novel technique to bypass MFA protection provided by Duo. After gaining administrative privileges on the infected network, the hackers used those unrestricted privileges to steal a Duo secret called akey from a server running Outlook Web App, which companies use to provide account authentication for various network services.
The hackers then used the akey to generate a cookie so they would have it ready when someone with the correct username and password was needed to take over an account. Volexity calls the state-sponsored hacker group Dark Halo. Researchers Damien Cash, Matthew Meltzer, Sean Koessel, Steven Adair and Thomas Lancaster wrote:
Towards the end of the second incident involving Volexity with Dark Halo, the actor was seen accessing a user's email account through OWA. This was unexpected for several reasons, not least because the target mailbox was protected by MFA. Logs from the Exchange server showed that the attacker provided username and password authentication as usual, but was not challenged via Duo for a second factor. The logs from the Duo authentication server also showed that no attempts were made to log into the account in question. Volexity was able to confirm that no session hijacking was involved and, through a dump of the OWA server, also confirmed that the attacker had presented a cookie tied to a Duo MFA session called duo-sid.
The investigation of this incident by Volexity revealed that the attacker had accessed the secret Duo integration key (akey) from the OWA server. With this key, the attacker could then derive a precalculated value that is to be set in the Duo-Sid cookie. After successful password authentication, the server evaluated the Duo-Sid cookie and determined that it is valid. In this way, with a knowledge of a user account and a password, the attacker could completely bypass the MFA set for the account. This event underscores the need to ensure that all secrets associated with key integrations, e.g. B. at an MFA provider, can be changed after a violation. It is also important that not only passwords are changed after a violation, but that passwords are not set to something similar to the previous password (e.g. Summer2020! Versus Spring2020! Or SillyGoo $ e3 versus SillyGoo $ e2).
Volexity's report on Dark Halo confirms other researchers' observations that the hackers are highly skilled. Volexity said the attackers returned repeatedly after the think tank customer believed the group had been ejected. Ultimately, according to Volexity, the attackers "could go undetected for several years".
Both the Washington Post and the New York Times have quoted government officials who have been granted anonymity, claiming the group behind the hacks are known as both APT29 and Cozy Bear, an advanced group of persistent threats believed to be it is part of the Russian Federal Security Service (FSB).
While the MFA provider was Duo in this case, it might as well have included one of its competitors. MFA threat modeling does not generally involve a complete system compromise of an OWA server. The level of access achieved by the hacker was sufficient to neutralize almost any defense.
In a statement, Duo officials wrote:
Duo Security at Cisco is aware of a recent blog post by a security researcher that discussed several security incidents observed by a specific group of threat actors over the past year. One of these incidents involved the integration of Duo for Outlook Web Application (OWA).
The incidents described were not caused by a security vulnerability in Duo's products.
Rather, the post describes an attacker who has been given privileged access to integration credentials that are used to manage the Duo service in an existing vulnerable customer environment, e.g. An e-mail server, are essential.
In order to reduce the likelihood of such an event, it is important to protect integration secrets from being compromised within a company and to twist secrets if a compromise is suspected. The tradeoff of a service integrated with an MFA provider can lead to the disclosure of integration secrets and potential access to a system and data protected by MFA.
According to Volexity, the main goal of Dark Halo was to receive emails from specific people within the think tank. The security firm said Dark Halo is a sophisticated threat actor with no ties to any publicly known threat actor.
Post updated to add comment from Duo.