2 min read

The Rising Threat: How APT Actors are Targeting MFA Systems

The Rising Threat: How APT Actors are Targeting MFA Systems


Multi-factor authentication (MFA) is a security measure that prevents unauthorised access to sensitive information in the constantly changing cybersecurity world. However, recent trends have shown that even this robust security measure is targeted by Advanced Persistent Threat (APT) actors. These state-sponsored, highly sophisticated threat groups frequently use clever tactics to bypass MFA protections and gain access to high-value targets.

Recent Incidents of MFA Targeting

One of the most notable incidents occurred in 2023 when APT29, a group believed to be associated with Russian intelligence, continued its campaign against Microsoft 365 users. By disabling licences that control security and compliance settings, APT29 effectively bypassed Purview Audit, a critical log source for detecting unauthorised mailbox access.

Another example is the "MFA fatigue" attack on Uber's IT systems in late 2023. The attackers employed social engineering tactics to overwhelm employees with MFA requests, eventually leading to a breach. This incident highlights the human factor as a vulnerability in MFA systems.

The Cisco Incident

Just last week, a new example of APT targeting came to light with an attack on Cisco's infrastructure. APT actors exploited vulnerabilities in Cisco routers, using the CVE-2017-6742 exploit to conduct reconnaissance and deploy malware. This incident underscores the importance of maintaining up-to-date security measures and monitoring network infrastructure for signs of compromise.

Exploiting Vulnerabilities

APT groups are known for their patience and persistence. They often exploit zero-day vulnerabilities or leverage social engineering tactics to achieve their goals. The CVE-2022-47966 exploit is a case in point where APT actors gained unauthorised access to a public-facing application and established persistence within the network.

How to Avoid Falling for APT Attacks

To defend against these sophisticated attacks, organisations must adopt a multi-layered security approach. Here are some suggestions:

  • Regular Security Audits: Conduct thorough and regular audits of your security systems to identify and patch vulnerabilities.
  • Employee Training: Educate employees on recognising social engineering attempts and following security protocols.
  • Layered Security Measures: Implement additional security layers beyond MFA, such as endpoint detection and response (EDR) and security information and event management (SIEM) systems.
  • Adaptive Authentication: Use adaptive authentication methods that consider user behaviour and context to assess risk and adjust security measures accordingly.
  • Hardware Security Keys: Encourage using hardware security keys, which provide a more secure alternative to other forms of MFA.

The Risks of Using SMS as MFA

While discussing MFA, it's crucial to address the risks associated with using SMS as a form of authentication. SMS-based MFA is vulnerable to interception, social engineering, and SIM-swapping attacks. The lack of encryption and the possibility of network outages make SMS a less secure option. Organisations should consider more secure alternatives, such as authenticator apps, hardware tokens, or biometric authentication.

The Way Forward

As APT groups continue to adapt and refine their strategies, our defences must evolve to protect against these sophisticated threats. By staying informed and implementing robust security measures, organisations can better safeguard their assets and data against the rising tide of APT attacks.