A Reminder to Batten Down the Hatches on World Password Day

Password security is critical every day, but World Password Day — celebrated on May 5 — is an important reminder to review your security program. It’s especially vital this year due to a rapid increase in attacks, especially of the cybersecurity variety, designed to get around measures that make account logins more secure.

More Than a Password

First and foremost, it’s still important to use strong passwords. BlueVoyant continues to observe large volumes of compromised credentials being sold on dark web forums, which are in turn used to breach victim organizations. Organizations should practice strong password hygiene, ensuring they have monitoring in place to detect when their credentials are compromised and potentially being sold by cyber criminals.

In addition to password hygiene, organizations should enable multi-factor authentication (MFA) by default across their ecosystem. Compared to merely using a password, MFA is a more secure way of authentication that requires users to provide at least two verification factors to access a device or account. BlueVoyant has seen threat actors move on from potential victim organizations once they determine MFA is in place.

MFA-Bypass Attacks

Unfortunately, given the uptick in organizations using MFA in their cyber defense, there’s been a recent increase in MFA-bypass attacks. These attacks rely on social engineering techniques to lure and trick users into accepting fake MFA requests.

Some specific attack methods include sending a large amount of MFA requests and hoping the target finally accepts one to make the noise stop, or sending one or two prompts per day, which attract less attention but still mean there’s a good chance that the target will accept the request. Attackers will also use more aggressive social engineering, such as ”vishing” or voice phishing, which requires calling the target, pretending to be part of a trusted company, and telling the target they need to send an MFA request as part of a company process. Sometimes, instead of a live person, attackers even use bots to call.

Recently, some well-known hacking groups have gotten around MFA controls to breach large, global companies, leading the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert. According to Computer Weekly, one such type of attack called “pass-the-cookie” involves criminals using stolen session cookies to authenticate web apps or services. Though certainly not a new type of attack, this allows criminals to bypass MFA because their session was previously authenticated.

Better Safe Than Sorry

An organization’s employees can help serve as a first line of defense against these types of attacks. As part of your security awareness program, train employees to reject any MFA requests they are unsure of — and only accept those they initiate themselves. Strong passwords are just one piece of the security puzzle, but strengthening your organization’s password security is a great place to start.

Sadiq Khan serves as chief information security officer at BlueVoyant.