The SolarWinds attack has been in the news a lot lately. In short, bad actors have managed to update the SolarWinds Orion network software which in turn runs on thousands of internal networks worldwide potentially giving attackers privileged access to countless servers. In this blog I look at one of the SolarWinds attacks that is relevant to the authentication space, the attack on authentication cookies.
The “SolarWinds attacks” might have happened this way at some companies or government agencies:
- The attacker successfully injects malware into SolarWinds update and with that the malware runs on some servers of the organization.
- The malware successfully obtains administrative privileges and can get hold of some keys of the “authentication server”.
- With the key, the attacker can produce a cookie and store it on his endpoint device. The authentication server then believes that the device the attacker uses has been authenticated before, and thus the server accepts that endpoint device without an explicit “client authentication”, which could be MFA or not.
- The attacker can then perform everything as if they are an authorized user.
The SolarWinds attack starts with the injection of the malware, but it includes many more sophisticated attacks to circumvent authentication! This might indicate that due to recent industry’s improved and stronger MFA, phishing and other methods have been less effective and the attackers must use more sophisticated attacks to circumvent authentication. Perhaps the good news is that MFA – especially FIDO and other asymmetric key based authentication – has made it more difficult to steal your identity; but simultaneously the bad news is that attackers will attack the weakest link, which can be Password, Biometrics, SMS, OTP and adjacently Cookies and Federated Authentication.
As highlighted in https://arstechnica.com/information-technology/2020/12/solarwinds-hackers-have-a-clever-way-to-bypass-multi-factor-authentication/ “It should be noted this is not a vulnerability with the MFA provider…”. Perhaps. If the MFA was bypassed, the vulnerability is not in the MFA itself.
But it’s still the shortcoming of the authentication server, which is the MFA provider ultimately!
Or, maybe the consensus in the industry is that using a cookie is understandable. Users are used to read emails without having to authenticate to the email system every day. So, it is not the MFA provider’s shortcoming, it’s the industry’s lack of adequate solutions for this problem!
What if there is a better way for this “remember me” functionality?
Can the SolarWinds’ MFA bypass attacks be prevented? Yes, we believe so!
We will present it in the next blog post.