How MFA was broken by a hacker group

Stronger Multi-Factor Authentication With Certificates

Jake Ludin Consumer Protection, Security Threats

Stronger Multi-Factor Authentication With Certificates

It’s widely held knowledge that using a single factor for authentication to wireless networks is less than secure and easily exploited by hackers. Many organizations recognize this and utilize Multi-Factor Authentication (MFA) to an extra layer of protection. Each additional layer of protection adds significant difficulty to any potential data thief looking to infiltrate a secure wireless network.

But MFA is not impenetrable, and multiple cases have come out that highlight some of the weaknesses of this security measure. The exploits primarily arise from the continued use of credentials within the MFA process. Time and again, its been shown that credentials are highly susceptible to hacking attacks and are inferior to certificates for authentication.

MFA Has Vulnerabilities

To effectively implement MFA, your authentication method must include at least 2 of the following: something you know, something you have, or something you are. An example of each of these would be a password, a smart card, or biometrics, respectively. By using any combination of these, your authentication process is far more difficult to penetrate and will effectively thwart an attacker 99% of the time.

The exceptions when MFA is circumvented most often occur when the authentication requirements are not particularly secure on their own. A common theme among successful MFA hacks them tends to be an organization’s reliance on their users to be the backbone of the cybersecurity system. Hackers will use a combination of social engineering attacks, Man-In-The-Middle attacks, and exploitation of weak passwords to gain authentication access to a secure network.

https://www.nice.com/engage/blog/wp-content/uploads/2019/11/Types-of-Biometrics-Blog-682X325.jpg

People are the Weakest Link in Network Security

Many successful hacking attacks occur due to an overreliance on people to uphold strict security standards. The average network user is not well-versed in network security best practices, especially when it comes to credential-based authentication. Some recurring issues with credentials is the tendency to use weak passwords, reuse passwords across multiple accounts, and allowing other people to use their password, which increases the odds of it being stolen.

In addition to weak credentials, social engineering attacks have proven to be frighteningly effective. This type of attack does not use technical methods to steal information from a system or device, but rather is a manipulation tactic to get information from a person. Some common forms of social engineering are phishing and manipulation of a person to get authentication information. These attacks are designed to play into a person’s fear, sympathy, or excitement and trick them into divulging information that could compromise the network.

Hackers Bypass MFA

A Chinese government linked hacking group known as APT 20 demonstrated a unique and effective method to foil MFA and gain unauthorized access to highly secure networks. As an initial point of entry, they found vulnerabilities in web servers and installed web shells, which is a script used to maintain and escalate access within a compromised system. With a web shell in place, they began to spread throughout internal systems

The primary goal of the web shell was to locate legit credentials. They searched for dumped passwords and administrator accounts, but primarily wanted to obtain VPN credentials. With VPN credentials, APT20 would increase their level of access to more secure areas of infrastructure and VPN accounts provided more stable backdoors for legitimate access.

The next step was to steal an RSA SecureID Software Token. This type of token is used to generate valid, one-time codes for MFA purposes. It was believed that this wasn’t possible because SecureID tokens require physical connection to the device to generate the code, similar to many smart cards. Without a device, the system generates an error; so how did APT20 get around this?

https://cdn.arstechnica.net/wp-content/uploads/2012/06/securid-800.jpg

Under normal circumstances, the token is generated for the specific system: a system specific value. That specific value is only confirmed when importing the SecurID Token Seed, which is not related to the seed used to generate MFA tokens. APT20 used the web shell to patch the check that verifies whether the imported token was generated for the specific system.

With a patch in place, they were able to bypass the system specific value check and use the RSA SecureID Software Token. By patching the single instruction, they were able to remotely connect to the network and gain full, unrestricted secure access to the wireless network.

Certificates Are Key To Secure MFA

One of the most effective methods for minimizing the risk of your authentication process being compromised is to seek out solutions that limit the involvement of the user in the process. Whenever a cybersecurity system relies on people to uphold security standards, it increases the avenues in which it can be compromised. A key component is to eliminate the use of credential-based authentication and switch to certificate-based authentication.

Utilizing an onboarding software to distribute certificates to users’ devices allows them to self-configure while guaranteeing that every device is correctly configured. SecureW2’s JoinNow software can be completed in a few simple steps, after which the user is able to automatically authenticate to the secure network whenever they are in range. Credentials require manual entry while certificates authenticate automatically with no human interaction.

Join Us

Additionally, credential-based networks require a password expiration policy to try and combat the use of weak passwords. After a set period of time, every user device is disconnected from the network and must be reconnected with a new, unique password. This often encourages the use of nearly identical passwords, or weak passwords, because frequent updates to multiple credential sets can be difficult to keep track of. With certificates, once the user configures the first time, they are securely connected to the network for the life of the certificate. This is predetermined by the organization, but many choose to set certificate expiration years into the future.

Gain Identity Context Of Your Network

The key to certificate authentication that thwarts the ability to circumvent MFA is public-private key encryption that protects the process. To authenticate a certificate, you need the private key, which is only known if you have a certificate signed by the issuing certificate authority. This makes it impossible for anyone outside the organization to authenticate to the network. The key cannot be stolen and reused due to its advanced encryption. Furthermore, it’s highly recommended to configure server certificate validation to ensure that the device only connects to the correct RADIUS Server and blocks the possibility of a Man-In-The-Middle attack.

Beyond the streamlined user experience that certificates boast, they are also tied to the identity of the user and device. Credentials are something the user knows and can be given to another person for access. This leads to identity issues because you cannot be certain that the credentials are always being used by the identified user.

With SecureW2’s Certlock, certificates cannot be removed from the device or transferred to another person, so when a particular user is confirmed accessing the network, they have been accurately identified.

Essentially, once a user’s device is equipped with a certificate, it cannot be stolen or transferred through a social engineering attack or over-the-air attack to be used by a data thief.


To improve the overall security of your network, MFA is an excellent authentication paradigm, but it’s important to ensure that each of the multiple factors are secure methods on their own. If a hacker is able to overcome one method, they may have the ingenuity or social engineering skills to gather the remaining information.

The success of manipulation tactics truly highlights the need to remove the human element from cybersecurity and automate your security practices with certificate authentication to have a truly secure network. Check out SecureW2’s pricing page to see how our MFA solutions can fit your authentication security needs.