A recent security study described a hacking operation that affected 50 multinational corporations. The link between the companies was simple. Multi-factor authentication was not required for critical systems.
The breaches did not involve sophisticated techniques. They utilized infostealer malware to steal usernames, passwords, session cookies, and stored authentication credentials from compromised hosts. The credentials were then sold on dark web marketplaces where other malicious actors accessed the corporate networks using legitimate login credentials.
The MFA gap
These attacks were not fueled by zero-day exploits. They were fueled by credential attacks and inadequate authentication mechanisms.
The organizations had the capability to mandate multi-factor authentication; they simply didn’t implement it for all users and all applications. This left a vulnerable entry point.
These were large, well-resourced organizations in the healthcare, professional services, manufacturing, and other industries. It was not a budget issue. It was an issue of enforcement.
The Result
The overall financial damage from these incidents has not been made public. It is likely to include the cost of incident response, forensic analysis, legal advice, business disruption, and regulatory risk.
The harder part of the financial damage to quantify is the loss of reputation.
When customers or business partners wonder if their data is secure, it takes time to win back their confidence.
I see similar issues all the time for local, privately held organizations. The scope is different in terms of size, but it’s all the same in terms of risk.
Most companies use some combination of Microsoft 365, cloud file storage, accounting software, line of business applications, and remote access software. Email is where contracts, financial conversations, messages to clients, and company strategy are stored. Shared drives contain intellectual property, personnel information, and business information.
With the credentials of a single employee being stolen by infostealer malware, an attacker may gain the ability to:
• Access Microsoft 365 email, OneDrive, and SharePoint
• Access accounting and billing systems
• Access industry-specific applications
• Access cloud storage services
• Access remote desktop or VPN connections
Once compromised, the attacker may be able to silently exfiltrate data, set up mailbox forwarding rules, launch a wire fraud attack by pretending to be a high-level executive, or spread ransomware.
Even if the breach is isolated in a short period of time, there may be notification obligations, contractual issues, and insurance complexities. Many cyber insurance providers are now requiring proof of multi-factor authentication on critical systems.
How to Close the Gap
The key takeaway is this. Size does not matter when it comes to exposure. Basic security measures do.
Multi-factor authentication specifically targets the weakness in these scenarios. When MFA is turned on and enforced, the attacker will not only need the password. They will also need to fulfill another factor, such as an authentication app approval, hardware token, or biometric verification.
However, there are some limitations. If the session cookie is stolen and used before it expires, MFA may not be triggered in the same manner. If the user approves a malicious push notification, access can still be gained.
Nevertheless, comprehensive MFA enforcement will greatly lower the success rate of credential attacks.
What you should do
The following steps should be taken:
• Turn on and enforce multi-factor authentication for all Microsoft 365 users
• Turn on MFA for accounting, operations, remote access, and document management systems
• Turn off legacy authentication protocols that bypass modern security measures
• Look for signs of suspicious sign-in activity, such as impossible travel logins
• Ensure authentication policies meet cyber insurance requirements
This is a straightforward security measure that stops an attack in its tracks.
Leadership sets the tone
Many business owners and executives are juggling growth, employee, and client needs. Security decisions can seem technical and secondary.
MFA is not a difficult implementation in most settings. It does not require a complete infrastructure revamp. It requires a choice that password-only access is no longer acceptable.
This is the question that really matters. If an attacker got their hands on one of your employees’ passwords, what is stopping them from accessing the system?