According to a post on the Rainbow Secure website (https://blog.rainbowsewcure.com/cisa-fbi-cyber-alert-hackers-deploying-new-tactics-to-bypass-mfa-and-gain-access-to-ngos-emails-and-cloud/), the CISA and FBI have issued an alert that state sponsored hackers have combined two exploits to bypass multi-factor authentication (MFA).
After gaining access to an organization through compromised credentials, the hackers elevated their privileges and disabled MFA. They repeated the operation to reach higher value domains, bypass their MFA and eventually access the victim's cloud storage.
The CISA has released mitigation practices related to MFA implementation:
- Review configuration policies to protect against "fail open" and re-enrollment scenarios.
- Implement time-out and lock-out features.
- Insure inactive accounts are disabled.
- Update software and patches for known vulnerabilities.
- Require accounts to have strong, unique passwords. A weak password was the entry point for this attack.