Companies that impose MFA requirement on all customers
April 2020, Zoom was booming. The start of the COVID pandemic forced employees to work from home, meetings in person migrated to a videoconferencing model, and Zoom was the preferred tool. The massive and fast growth led into an opportunity for attackers. A vulnerability in Zoom could allow an attacker to steal a user’s Windows credentials, as long as the target user would click on a link provided through a Zoom session. The question was then how to get into those private sessions. The answer came a few weeks later.
A database with around 530,000 valid Zoom credentials were being sold in the dark web. Had Zoom been hacked? No, the attackers took gigabytes of credentials stolen throughout the years and used a credential stuffing attack to find out which credentials could work for Zoom. Hundreds of thousands did. The attack basically tests the user login, using a stolen credential, usually from another leak. For example, if I use the same password for both LinkedIn and Zoom, and my credentials were part of one of LinkedIn’s hacks – the more notorious one from 2012 when 6.5 million LinkedIn credentials were stolen – credential stuffing would have worked for Zoom.
That´s because people tend to use the same password over and over again. Unless you have a password manager, it’s impossible to have a different password for each entry in your digital life. Users tend to have 3-5 different passwords for everything, with maybe some small variations, like the numbers at the end.
That is probably one of the reasons that Salesforce, in the beginning of 2021, announced that on February 1, 2022, they would enforce the use of MFA for their users. Imagine a credential stuffing attack against Salesforce, the most popular CRM in the market. That would expose thousands, if not hundreds of thousands accounts, with all their contacts and sensitive business information. Now Salesforce will start auto-enabling MFA throughout the year. And by the way, SMS or email OTPs will not be accepted, since they are extremely vulnerable to multiple attacks.
Google went down the same path. In May 2021, they announced they would be enforcing and auto-enabling 2FA for new users. By February 2022, they had more than 150 million 2FA users for Google accounts, as well as 2 million 2FA users for YouTube creators.
The fact is that the MFA culture is now widespread. Companies looking for cyber insurance will be required to prove they are protecting emails, servers, remote access, and sensitive data with MFA. Governments are enforcing it in their agencies and vendors. The market is going in this direction and MSPs have been driving this for years.
- In July 2019, Corey Nachreiner from WatchGuard talked about the threat of the MSP targeted attacks. Instead of attacking one company at the time, why not target MSPs, so ransomware can be deployed to all of their managed accounts at the same time? By using some management consoles from ConnectWise, Kaseya, Webroot and RDP services, attackers were able to successfully conduct a massive attack through MSPs.
- Webroot’s SVP at that time, Chad Bacher, announced that “To ensure the best protection for the entire Webroot customer community, we decided it is time to make two-factor authentication mandatory.” He is right. If MFA is important to protect a company’s assets, protecting an MSP management console is many times more important.
- In June 2020, the United States Secret Service issued an alert about an increase in attacks related to MSPs, obviously to maximize the number of infected companies. In their alert, the recommend MSP Customers to “enforce two-factor authentication for all remote logins.”
- Similar to this one, the U.S. Cybersecurity & Infrastructure Security Agency (CISA), together with the FBI and NSA, issued an alert in September 2021, because of the strong growth of Conti ransomware infections. The alert mentioned that most attacks were conducted through remote access to servers (RDP) using stolen or weak credentials. One of the recommended immediate actions was to implement MFA for RDP.
The trend is that MSPs are adding MFA to their management packages. Instead of an optional package, it’s now part of core service, for the security of their managed accounts, as well as for their own protection. They just can’t afford a major ransomware infection in their whole managed accounts portfolio. And MFA, with some good user training, is an important and strong weapon against access to sensitive data and ransomware distribution.