Think Your Sensitive Systems Are Secure? Think Again.

By Dana Tamir, VP Market Strategy for Silverfort

Let me start by saying – you should be using MFA (Multi-Factor Authentication) on Everything! Passwords are no longer enough to validate the identity of your users and MFA has been proven as the best way to minimize the risk of identity-based attacks. You should use MFA to secure all access to your most sensitive and most critical enterprise systems – if you have the option, implement it.

However, not all MFA solutions were created equal.

Originally, MFA solutions were designed for VPNs and then extended to support specific systems. They were designed to be implemented one system at a time. In today’s dynamic and complex networks, where we need to secure access by any user to any sensitive and critical asset – this approach is no longer practical. The implementation challenges leave too many sensitive systems unprotected. It only takes a single unprotected system to enable a breach. Once an adversary compromises a system and gains a foothold in the network, there are numerous techniques the adversary can use to elevate privileges and propagate throughout the network until a target system is reached.

But even if you have implemented MFA – your systems may remain exposed. Take for example most of the MFA solutions for MS Windows. These typically protect only local console logon and RDP access. They cannot add a secondary authentication prompt if you access Command line tools like PowerShell “Enter-PsSession” or “Invoke-Command,” or non-interactive logons (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.).

And guess what: Hackers do not typically use local console logon and don’t need to utilize RDP access. The administrative interfaces mentioned above are much easier to exploit. In fact, we have documented cases where these exact tools were used to breach organizations and access systems that were “protected” by MFA solutions.

Here are five ways hackers can bypass your MFA solution and gain access to your most sensitive, most valuable, and most critical systems:

1. Remote PowerShell: Windows PowerShell remoting lets you run any Windows PowerShell command on one or more remote computers. PowerShell Remoting lets you establish persistent connections, start interactive sessions, or access full PowerShell sessions on remote Windows systems. If PowerShell remoting is enabled on the target machine, you can use the Invoke-Command and Enter-PSsession cmdlets to execute an interactive session on the target machine. During the session, the commands that you type run on the remote computer, just as if you were typing directly on the remote computer.
2. PSExec: This is a light-weight telnet replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install software on the target machine. PsExec’s most powerful uses include launching interactive command-prompts on remote systems and remote-enabling that otherwise do not have the ability to show information about remote systems. It can be used, for example, to run credential-stealing tools like ‘Invoke Mimikatz’ on the target machine.
3. Remote Registry Editor: As the name implies, this is a service that enables remote administrators (or hackers) to connect to a desktop or server system and view/modify the Windows registry. The registry is a database located within the Windows operating system responsible for storing all the configuration settings for software applications, user preferences and more. The remote registry editor service allows you to add new keys, delete existing keys, edit keys, search, and import or export keys. Since this service can pose a security risk, many security experts strongly suggest that you restrict access or even disable the feature if it is not required for remote management purposes.
4. Remote Local Computer Management: This is a collection of tools that allow administrators (and hackers) to connect to a remote PC and manage local resources such as user accounts, services, and the device manager. Most if not all Windows Local Resources can be accessed and managed remotely using this toolset that comes built into the windows base install. This is very handy and a great time saver when doing remote support. It is also handy for adversaries that have credentials with Admin rights on the remote machine they wish to manage since no MFA will be prompted to request a 2nd authentication.
5. Exploiting the Lock Screen Bypass Vulnerability (CVE-2019-9510): Disclosed in 2019, this vulnerability in Microsoft Windows Remote Desktop Protocol (RDP) can be exploited by client-side attackers to bypass the lock screen on remote desktop (RD) sessions. The vulnerability resides in the way Microsoft Windows Remote Desktop feature requires clients to authenticate with Network Level Authentication (NLA). When a network anomaly occurs it could trigger a temporary RDP disconnect, but upon automatic reconnection, the RDP session will be restored to an unlocked state. The RDP session will be restored without considering the status of the remote system before the disconnection. An attacker can interrupt the network connectivity of the RDP client system, this will cause the session with the remote system being unlocked without providing credentials. See this blog for more information.

Secure Access Across All Interfaces

In order to ensure secure access across all your system interfaces, you should look for an MFA solution that focuses on the authentication protocols (like Kerberos, NTLM, SAML and OpenID Connect) – rather than an MFA solution that focuses on a specific system’s authentication process.

One solution that enables this is Silverfort’s Authentication Platform. Unlike most authentication solutions that are implemented system-by-system, and require a software agent or some kind of integration with the protected system’s authentication process, Silverfort applies a holistic protocol-based approach towards secure authentication. Silverfort monitors all the access requests of all users and service accounts, across all corporate networks and cloud environments, and across all the authentication protocols – in a unified platform. It analyzes these access requests to continuously assess risk and trust levels and enforces adaptive policies to ensure only validated trusted users are granted access.

Due to the holistic architecture of the solution, and the fact it doesn’t require agents, proxies or code changes, Silverfort enables you to secure any system and an interface to that system. This includes systems that couldn’t be protected until today, like legacy and homegrown systems, critical IT infrastructure, file shares, databases and more. It also secures all the interfaces to your systems, including privileged access and the use of administrative tools like Remote PowerShell, PSEcex and more.

This innovative architecture is not only easier to implement because it eliminates the need to deploy system by system, an approach that is no longer practical in today’s dynamic and complex environments, but it also enables better security that provides complete coverage to your systems.

To read more about this visit www.Silverfort.com

About the Author

Dana is the VP Market Strategy for Silverfort, provider of the first agentless, proxyless authentication platform that enables secure authentication and zero-trust policies across all systems interfaces whether on-premises or in the cloud. Dana is a veteran of the cybersecurity industry with over 15 years of real-world expertise and leadership roles in leading security companies. She was recently named one of the top 25 women leaders in Cybersecurity of 2019. Prior to Silverfort, Dana served as VP Marketing at Indegy (acquired by Tenable in 2019). Before that, she served as Director of Enterprise Security at Trusteer (acquired by IBM in 2012). She also held various roles at Imperva, Symantec, Bindview, and Amdocs. Dana holds an engineering degree from the Technion – Israel Institute of Technology, in addition to a number of industry and vendor certifications.

Source: https://www.cyberdefensemagazine.com/5-ways-hackers-can-bypass-your-mfa/