The hackers behind the supply chain attack that compromised public and private organizations have devised a clever way to bypass multi-factor-authentication systems protecting the networks they target.
Researchers from security firm Volexity said on Monday that it had encountered the same attackers in late 2019 and early 2020 as they penetrated deep inside of a think tank organization no fewer than three times.
During one of the intrusions, Volexity researchers noticed the hackers using a novel technique to bypass MFA protections provided by Duo. After having gained administrator privileges on the infected network, the hackers used those unfettered rights to steal a Duo secret known as an akey from a server running Outlook Web App, which enterprises use to provide account authentication for various network services.
The hackers then used the akey to generate a cookie, so they’d have it ready when someone with the right username and password would need it when taking over an account. Volexity refers to the state-sponsored hacker group as Dark Halo. Researchers Damien Cash, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster wrote:
Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. This was unexpected for a few reasons, not least of which was the targeted mailbox was protected by MFA. Logs from the Exchange server showed that the attacker provided username and password authentication like normal but were not challenged for a second factor through Duo. The logs from the Duo authentication server further showed that no attempts had been made to log into the account in question. Volexity was able to confirm that session hijacking was not involved and, through a memory dump of the OWA server, could also confirm that the attacker had presented cookie tied to a Duo MFA session named duo-sid.
Volexity’s investigation into this incident determined the attacker had accessed the Duo integration secret key (akey) from the OWA server. This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie. After successful password authentication, the server evaluated the duo-sid cookie and determined it to be valid. This allowed the attacker with knowledge of a user account and password to then completely bypass the MFA set on the account. This event underscores the need to ensure that all secrets associated with key integrations, such as those with an MFA provider, should be changed following a breach. Further, it is important that not only are passwords changed after a breach, but that passwords are not set to something similar to the previous password (e.g., Summer2020! versus Spring2020! or SillyGoo$e3 versus SillyGoo$e2).
Volexity’s account of Dark Halo reinforces observations other researchers have made that the hackers are highly skilled. Volexity said the attackers returned repeatedly after the think tank client believed the group had been ejected. Ultimately, Volexity said, the attackers were able to “remain undetected for several years.”
Both The Washington Post and New York Times have cited government people granted anonymity saying the group behind the hacks was known both as APT29 and Cozy Bear, an advanced persistent threat group believed to be part of the Russian Federal Security Service (FSB).
While the MFA provider in this case was Duo, it just as easily could have involved any of its competitors. MFA threat modeling generally doesn’t include a complete system compromise of an OWA server. The level of access the hacker achieved was enough to neuter just about any defense.
In a statement, Duo officials wrote:
Duo Security at Cisco is aware of a recent security researcher blog post discussing multiple security incidents observed over the course of the last year from a particular threat actor group. One of those incidents involved Duo’s integration for the Outlook Web Application (OWA).
The described incidents were not due to any vulnerability in Duo’s products.
Rather, the post details an attacker that achieved privileged access to integration credentials, that are integral for the management of the Duo service, from within an existing compromised customer environment, such as an email server.
In order to reduce the likelihood of such an event, it is critical to protect integration secrets from exposure within an organization and to rotate secrets if compromise is suspected. Compromise of a service that is integrated with an MFA provider can result in disclosure of integration secrets along with potential access to a system and data that MFA protects.
Volexity said that Dark Halo’s primary goal was obtaining emails of specific individuals inside the think tank. The security company said Dark Halo is a sophisticated threat actor that had no links to any publicly known threat actors.
Post updated to add comment from Duo.