{ "id": "1d478fbe-7907-46b6-8127-0dc363620c54", "created_at": "2026-04-06T00:13:57.420803Z", "updated_at": "2026-04-10T03:37:32.965069Z", "deleted_at": null, "sha1_hash": "7e006ddd62dcec1c345efa47f0a59ed0c9e4d321", "title": "Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66390, "plain_text": "Multi-Factor Authentication: Headache for Cyber Actors Inspires\r\nNew Attack Techniques\r\nBy About the Author\r\nArchived: 2026-04-05 20:45:01 UTC\r\nIn recent years two-factor or multi-factor authentication (MFA) has been touted as the way to protect your\r\npersonal and business accounts from attack. This led to the wide adoption of MFA - from corporate accounts to\r\nsocial media profiles, almost all provide the option of enabling MFA, with many requiring it.\r\nThis means that, for attackers, stealing credentials or brute forcing passwords is no longer enough - if they don’t\r\nhave access to victims’ multi-factor access token or code they will still not be able to access their accounts. The\r\nincreasing use of MFA means that attackers have had to endeavor to find ways to bypass it, or avoid carrying out\r\nattacks that may be stalled by it. When we look at recent high-profile attacks, such as SolarWinds, the Microsoft\r\nExchange Server ProxyLogon attacks, and the vulnerabilities found in Pulse Secure VPN recently, all these\r\nattacks help attackers avoid the hurdle of needing to overcome MFA. \r\nWhile MFA has perhaps only gained wide adoption in the last couple of years, attacks attempting to bypass MFA\r\ndate as far back as 2011, when RSA Security was forced to replace 40 million SecurID tokens - which were used\r\nfor MFA at the time - after the company was hacked.\r\nHowever, recently, there have been some more notable examples of attacks that attempt to either bypass MFA, or\r\neradicate the need to bypass it at all, with five of these outlined in this blog.\r\nRecent zero-day vulnerability in Pulse Secure VPN (CVE-2021-22893)\r\nOn April 20, 2021, Pulse Secure published an advisory warning about a zero-day remote code execution\r\nvulnerability in its popular VPN product. On the same day, FireEye published a blog detailing how the\r\nvulnerability (CVE-2021-22893) was being exploited by a China-linked APT group it tracks as UNC2630.\r\nFireEye said this group was attempting to leverage the vulnerability in attacks targeting defense industrial base\r\n(DIB) targets in the U.S. \r\nThis new vulnerability was exploited, alongside a number of known Pulse Secure vulnerabilities, as the initial\r\ninfection vector in these attacks. FireEye said that at least 12 malware families have been associated with exploit\r\nattempts against vulnerabilities in Pulse Secure. The malware was associated with what appears to be three threat\r\nactors, with attacks taking place in organizations in the U.S. and Europe.\r\nThe UNC2630 activity that was analyzed by FireEye demonstrated that successfully exploiting this vulnerability\r\nin the VPN software allowed attackers to Trojanize shared objects with malicious code to log credentials and\r\nbypass authentication flows, including multi-factor authentication requirements. FireEye said it was tracking this\r\nactivity as SlowPulse. The attackers were also able to maintain persistence, inject web shells, and modify files.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks\r\nPage 1 of 4\n\nVPNs became a very popular target for hackers over the last year, as increased working from home due to the\r\npandemic meant that workers were increasingly using VPNs to log into their corporate networks. If an attacker is\r\nable to compromise the VPN software - through a vulnerability like this - it negates a need for them to acquire\r\nanything more in the line of multi-factor authentication. \r\nA patch for this bug was issued on Monday (May 3), and all users of Pulse Secure should apply it quickly.\r\nSymantec has released Hacktool.Webshell and Hacktool.Atrium to block files believed to be related to this\r\nvulnerability.\r\nMicrosoft Exchange Server (ProxyLogon) attacks\r\nOn March 2, Microsoft released emergency patches for four zero-day vulnerabilities in Microsoft Exchange\r\nServer that were being actively exploited by attackers in the wild. At the time, Microsoft said these vulnerabilities\r\nwere being exploited by an APT group it dubbed Hafnium (Symantec tracks this group as Ant) in targeted attacks.\r\nHowever, it quickly became apparent that multiple threat actors had started exploiting these vulnerabilities, with\r\nnumbers rising rapidly once the existence of the vulnerabilities became public knowledge.\r\nTwo of the vulnerabilities (CVE-2021-26855 and CVE-2021-27065) and the technique used to chain them\r\ntogether for exploitation were given the name “ProxyLogon”. Successful exploitation of these vulnerabilities\r\nallowed unauthenticated attackers to execute arbitrary code on vulnerable Exchange Servers, allowing them to\r\ngain persistent system access, access to files and mailboxes on the server, and access to credentials stored on the\r\nsystem. Successful exploitation may also allow attackers to compromise trust and identity in a vulnerable network.\r\nThis gives attackers extensive access to infected networks, allowing them to steal potentially highly sensitive\r\ninformation from victim organizations, without the need to bypass any multi-factor authentication steps. In several\r\ninstances the threat actors using these vulnerabilities were seen stealing emails from victim inboxes.\r\nTo learn how Symantec helps protect you from these attacks, read our blog: How Symantec Stops Microsoft\r\nExchange Server Attacks\r\nSolarWinds\r\nThe SolarWinds attacks were uncovered in December 2020, and have rarely been out of the headlines since, with\r\nthe U.S. recently announcing that it would be imposing sanctions against Russia as a response to the SolarWinds\r\nbreach, as well as a number of other cyber attacks. The statement from U.S. officials said they had “high\r\nconfidence” that the SVR, the Russian Foreign Intelligence Service - also known as APT29, Cozy Bear, The\r\nDukes - was responsible for the SolarWinds attack.\r\nThe SolarWinds incident is believed to have started in around March 2020, with any user of SolarWinds Orion\r\nsoftware who downloaded an update between March and December 2020 believed to have become infected with\r\nthe first-stage malware, Backdoor.Sunburst. The initial infection of victims was indiscriminate, but only a small\r\nnumber of those who downloaded the initial compromised update saw additional malicious activity on their\r\nnetworks. \r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks\r\nPage 2 of 4\n\nThe motivation of the SolarWinds attackers was always believed to be information stealing, with email appearing\r\nto be an area of particular interest to them. The attackers were also seen using various techniques to bypass MFA\r\nin the course of their attacks. In one incident, security firm Veloxity said it saw the attackers using a novel\r\ntechnique to bypass 2FA provided by Duo, though the same technique would likely bypass MFA from any\r\nprovider that requires integration secrets stored in the potentially compromised environment. After gaining\r\nadministrator privileges on an infected network, the hackers used those rights to steal a Duo secret known as an\r\n“akey” from a server running Outlook Web App (OWA), which enterprises use to provide account authentication\r\nfor various network services. The hackers then used the “akey” to generate a cookie, so they’d have it ready when\r\nsomeone with the right username and password would need it when taking over an account.\r\nIn another report, FireEye described the techniques it saw the attackers using. Among the techniques FireEye saw\r\nwere:\r\nAttackers stealing the Active Directory Federation Services (AD FS) token-signing certificate and using it\r\nto forge tokens for arbitrary users, which would allow the attacker to authenticate into a federated resource\r\nprovider (such as Microsoft 365) as any user, without the need for that user’s password or MFA.\r\nModifying or adding trusted domains in Azure AD to add a new federated identity provider (IdP) that the\r\nattacker controls. This would allow the attacker to forge tokens for arbitrary users.\r\nCompromising the credentials of on-premises user accounts that are synchronized to Microsoft 365 and are\r\nassigned high privileged directory roles, such as administrator.\r\nHijacking an existing Microsoft 365 application by adding a rogue credential to it in order to use the\r\nlegitimate permissions assigned to the application, such as the ability to read email, send email as an\r\narbitrary user, access user calendars, etc., while bypassing MFA.\r\nAttackers know they need a way to bypass or avoid MFA altogether if they want to access victims’ email accounts,\r\nwhich still appears to be the goal of many sophisticated attackers, including state-sponsored actors like those\r\nbehind SolarWinds.\r\nRead all our SolarWinds research, and how Symantec helps protect you, on our dedicated blog page.\r\nHackers targeting Iranian dissidents seek to steal 2FA text codes\r\nIn September 2020, Check Point published research on the Rampant Kitten hacking group, which it said had\r\ndeveloped a new Android malware that was capable of intercepting and stealing 2FA codes sent via text. It is\r\nknown that text 2FA is significantly less secure than using an app or token - as tactics like SIM swapping (where a\r\nmalicious actor gains access to your phone number) would allow codes to be intercepted - and many security\r\nexperts think neither organizations nor individuals should be using this kind of 2FA if there is another option.\r\nCheck Point said Rampant Kitten’s surveillance campaign had been ongoing for as long as six years, targeting\r\ndissidents and minorities in Iran. The malware was hidden inside an app that purported to be designed to help\r\nIranian citizens get a Swedish driver's license. However, as well as harvesting contacts, old text messages, and\r\nrecording using the microphone, the malicious app was also designed to look for SMS messages that contained a\r\n\"G-\" string, which is a prefix used by Google as part of the two-factor authentication process. The attackers would\r\nsend phishing messages to victims in order to harvest their credentials, and would then also be able to access their\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks\r\nPage 3 of 4\n\n2FA codes and gain access to their accounts. The malware also forwarded all text messages to the attackers,\r\nmeaning they could bypass 2FA for any other apps or services using text message 2FA too.\r\nChinese attackers attempting to bypass 2FA\r\nBack in 2019, FOX-IT blogged about a Chinese state-sponsored group - APT20 - that was bypassing 2FA in its\r\nattacks. FOX-IT had been monitoring the attacker’s activity over a period of two years, stating that it used living-off-the-land techniques to maintain a stealthy presence on victims’ networks in order to siphon off data for the\r\npurposes of espionage. FOX-IT found evidence the attackers had connected to VPN accounts that were protected\r\nby 2FA, with the researchers theorizing that they did this by stealing an RSA SecurID software token from a\r\nhacked system, which they then used to generate valid one-time codes and bypass 2FA at will. \r\nAs FOX-IT explained at the time: “The software token is generated for a specific system, but of course this system\r\nspecific value could easily be retrieved by the actor when having access to the system of the victim.\r\n“As it turns out, the actor does not actually need to go through the trouble of obtaining the victim's system specific\r\nvalue, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to\r\nthe seed used to generate actual two-factor tokens. This means the actor can actually simply patch the check which\r\nverifies if the imported soft token was generated for this system, and does not need to bother with stealing the\r\nsystem specific value at all.\r\n“In short, all the actor has to do to make use of the two-factor authentication codes is to steal an RSA SecurID\r\nSoftware Token and to patch one instruction, which results in the generation of valid tokens.”\r\nWorrying trend\r\nWhile it has been known for some time that some advanced persistent threat (APT) groups and sophisticated\r\nactors were able to bypass MFA in some instances, the recent sophisticated attacks that appear to have bypassing\r\nthese kinds of protections as one of their main goals provides a reminder no single solution is sufficient.\r\nFortunately, these attacks also show MFA is working as attackers need to go to great lengths to find alternative\r\nmeans to breach MFA-protected organizations. Organizations should take additional steps to increase protection,\r\nsuch as:\r\nAuditing login and Active Directory events\r\nReviewing and reducing services and accounts that do not require MFA\r\nKeeping up to date on patches for any discovered vulnerabilities\r\nConsidering a threat model where MFA may be bypassed or on-site secrets may be compromised\r\nExpanding their zero trust architecture beyond simple 2FA.\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks" ], "report_names": [ "multi-factor-authentication-new-attacks" ], "threat_actors": [ { "id": "5d512e7c-f6a7-47b5-b440-4968c299deaf", "created_at": "2023-01-06T13:46:38.344772Z", "updated_at": "2026-04-10T02:00:02.9359Z", "deleted_at": null, "main_name": "APT20", "aliases": [ "VIOLIN PANDA", "TH3Bug", "Crawling Taurus" ], "source_name": "MISPGALAXY:APT20", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7e75ee53-c4d3-4260-8106-ed7b61d35f02", "created_at": "2023-12-08T02:00:05.765868Z", "updated_at": "2026-04-10T02:00:03.497413Z", "deleted_at": null, "main_name": "UNC2630", "aliases": [], "source_name": "MISPGALAXY:UNC2630", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "e580dec5-1558-4c79-8eda-c968d1cd206f", "created_at": "2022-10-25T16:07:24.090829Z", "updated_at": "2026-04-10T02:00:04.863398Z", "deleted_at": null, "main_name": "Rampant Kitten", "aliases": [], "source_name": "ETDA:Rampant Kitten", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55", "created_at": "2024-04-24T02:00:49.599348Z", "updated_at": "2026-04-10T02:00:05.303948Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "APT5", "Mulberry Typhoon", "BRONZE FLEETWOOD", "Keyhole Panda", "UNC2630" ], "source_name": "MITRE:APT5", "tools": [ "Tasklist", "PoisonIvy", "RAPIDPULSE", "PcShare", "Mimikatz", "SLOWPULSE", "SLIGHTPULSE", "Skeleton Key", "gh0st RAT", "PULSECHECK", "netstat" ], "source_id": "MITRE", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434437, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e006ddd62dcec1c345efa47f0a59ed0c9e4d321.pdf", "text": "https://archive.orkl.eu/7e006ddd62dcec1c345efa47f0a59ed0c9e4d321.txt", "img": "https://archive.orkl.eu/7e006ddd62dcec1c345efa47f0a59ed0c9e4d321.jpg" } }