Can the SolarWinds’ MFA bypass attacks be prevented?

The SolarWinds attack has been in the news a lot lately. In short, bad actors managed to inject an update to the SolarWinds Orion platform with malware, compromising the popular network software. Since Orion runs on thousands of internal networks worldwide, attackers potentially gained privileged access to countless servers.

While SolarWinds has since scrubbed the malicious software from its downloads page, the event was illustrative of the threats facing modern businesses. There are several ways for malicious users to target companies running compromised network software. In this post, we’ll look at a type of intrusion carried out by the SolarWinds hackers that is relevant to the authentication space: attacks that affect authentication cookies.

How would an attacker compromise authentication cookies?

There’s more than one way to break into a network, as there are a variety of security tools hackers will have to compromise to attain illicit access.

As Ars Technica reported, the hackers who carried out the devastating supply chain attack on SolarWinds have also been tied to other events in 2019 and 2020. One of these attacks, carried out on a think tank, demonstrates that the bad actors have found a way to attack multi-factor authentication (MFA) systems. Due to the prevalence of MFA as a security tool, it’s concerning that this group has compromised it at least once.

Here’s how an attack on a company’s MFA tools might work:

  1. The attacker successfully injects malware into an update to a common network software tool, which is what happened to SolarWinds Orion.
  2. The malware gives the hacker administrator privileges, granting access to keys from the MFA authentication server.
  3. The hacker uses the stolen keys to produce a cookie on their endpoint device. The authentication server reads that cookie, believes the attacker has been authenticated before, and accepts that device without need for further authentication.
  4. The attacker gains authenticated user privileges and can do anything a person with legitimate access could.

This breakdown shows how hacks like the SolarWinds attack start with the injection of the malware into the update supply chain, but they don’t stop there. Many more sophisticated attack methods follow, allowing the hackers to circumvent common authentication methods.

What do MFA compromises mean for security?

The good news is that MFA, especially FIDO and other asymmetric-key-based authentication, has made it more difficult to steal your identity. The bad news is that attackers target the weakest link in security — passwords, biometrics, SMS, one-time passwords, and adjacently, cookies and federated authentication.

When discussing the process and aftermath of the SolarWinds attackers’ MFA hack, Volexity stated that “It should be noted this is not a vulnerability with the MFA provider and underscores the need to ensure that all secrets associated with key integrations, such as those with an MFA provider, should be changed following a breach.”

Perhaps. After all, if the MFA is bypassed, the vulnerability is not the MFA itself. However, it is still a shortcoming of the authentication server, which ultimately is the MFA provider. Maybe the consensus in the industry is that it’s understandable to use cookies. In that case, it’s not the MFA provider’s shortcoming, but the industry’s lack of adequate solutions for this problem.

What if there was a better way to get this “remember me” functionality? Can these MFA bypass attacks be prevented? Yes, we believe so!

Come back for our next blog post to learn about this better solution and how it works.

Previous Post
The Right Approach to Data Encryption
Next Post
Proposing Solutions for the SolarWinds Attackers’ MFA Bypass (Part 2)