The hackers behind the supply chain attack that compromised public and private organizations have devised a clever way to bypass multi-factor-authentication systems protecting the networks they target.
Researchers from security firm Volexity said on Monday that it had encountered the same attackers in late 2019 and early 2020 as they penetrated deep inside of a think tank organization no fewer than three times.
During one of the intrusions, Volexity researchers noticed the hackers using a novel technique to bypass MFA protections provided by Duo. After having gained administrator privileges on the infected network, the hackers used those unfettered rights to steal a Duo secret known as an akey from a server running Outlook Web App, which enterprises use to provide account authentication for various network services.
The hackers then used the akey to generate a cookie, so they’d have it ready when someone with the right username and password would need when taking over an account. Volexity refers to the state-sponsored hacker group as Dark Halo. Researchers Damien Cash, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster wrote:
Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. This was unexpected for a few reasons, not least of which was the targeted mailbox was protected by MFA. Logs from the Exchange server showed that the attacker provided username and password authentication like normal but were not challenged for a second factor through Duo. The logs from the Duo authentication server further showed that no attempts had been made to log into the account in question. Volexity was able to confirm that session hijacking was not involved and, through a memory dump of the OWA server, could also confirm that the attacker had presented cookie tied to a Duo MFA session named duo-sid.
Volexity’s investigation into this incident determined the attacker had accessed the Duo integration secret key (akey) from the OWA server. This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie. After successful password authentication, the server evaluated the duo-sid cookie and determined it to be valid. This allowed the attacker with knowledge of a user account and password to then completely bypass the MFA set on the account. This event underscores the need to ensure that all secrets associated with key integrations, such as those with an MFA provider, should be changed following a breach. Further, it is important that not only are passwords changed after a breach, but that passwords are not set to something similar to the previous password (e.g., Summer2020! versus Spring2020! or SillyGoo$e3 versus SillyGoo$e2).
Volexity’s account of Dark Halo reinforces observations other researchers have made that the hackers are highly skilled. Volexity said the attackers returned repeatedly after the think tank client believed the group had been ejected. Ultimately, Volexity said, the attackers were able to “remain undetected for several years.”
Both The Washington Post and New York Times have cited government people granted anonymity saying the group behind the hacks was known both as APT29 and Cozy Bear, an advanced persistent threat group believed to be part of the Russian Federal Security Service (FSB).
While the MFA provider in this case was Duo, it just as easily could have involved any of its competitors. MFA threat modeling generally doesn’t include a complete system compromise of an OWA server. The level of access the hacker achieved was enough to neuter just about any defense.
Volexity said that Dark Halo’s primary goal was obtaining emails of specific individuals inside the think tank. The security company said Dark Halo is a sophisticated threat actor that had no links to any publicly known threat actors.