For those of you that have followed my ramblings for a while, it will probably come as no surprise to find that the constant tramp forward of technology has rendered MFA/2FA (Multi-Factor Authentication) much less secure than it has been previously.
This will be no surprise to many in the IT industry as from the day 2FA arrived, I thought there was probably a way to build a website that would accept my log-on attempt and then pass it on in real-time to the Microsoft 365 logon server. In fact, I was convinced that if a few of us at Nitec put effort into it we could have cracked it. Only my desire to sleep in my own bed next to my wife and not in a twin suite, or an all-expenses-paid retreat at His Majesty’s pleasure along with some bloke called “Knuckles” 23 hours a day, got in the road of it.
Alas however there were people who, having some less scruples than me, put in the hard yards and now we have what is called Evilginx, a toolkit able to be installed on a compromised web server that turns said web server into an intermediary between you and Microsoft 365. So now when you log on, they Log On. By the way, if you're reading this and thinking, I’m not sure if I have understood this correctly and don’t know if I should be concerned, the answer is yes. You should be concerned. Don’t be jumping off any bridges or anything but action is required albeit not that dramatic.
Nitec has been advocating MFA for Microsoft 365 for many years now and Microsoft themselves say that MFA probably helps defeat approximately 95-99% of attempts to hack into Microsoft 365. Hackers, largely being the lazy folks that they are, really have only the energy to run down the weakest of prey and will probably stay for a while at the level they are at and only use these more sophisticated methods for more valuable targets. Make no mistake though, the back is now broken on cheating MFA and it’s all downhill from here.
If you have not yet implemented MFA, you may be struggling to read this article on account of having your head squarely secreted in the nearest body of sand (not unlike the antics of a 2-year-old who plays hide and seek by putting his hands over his own eyes and thinking he has donned an invisibility cloak). In a two-year-old, it’s cute; in a grown adult, not so much. Even while I am describing how MFA has become less secure it is extremely important that you understand that not having MFA in the modern age is nothing short of a disaster.
At Nitec we are nothing if not pragmatic, so the idea is and has always been best illustrated by saying we want reasonable people to take reasonable security measures. Doing those reasonable things will elevate you to between the top 1% and 10% of companies and give you excellent security. In even better news, the tools we have been advocating that ensure the use of MFA also represent the best method of implementing measures that actually protect against the latest iterations of Evilginx.
As you know, it has been Nitec's policy for some time to advocate that clients move to Microsoft 365 Business Premium to avail of the additional security measures included in that bundle. Primarily these include:
- Ability to block logins from other countries (e.g. Nigeria, Ukraine, Russia & China etc.)
- Ability to ensure MFA stays enabled
- Ability to stop hackers using old insecure versions of apps to reduce security
- Ability to stop logons from machines that are not company owned
In fact, of the four policies only number 4 is capable of stopping Evilginx dead in its tracks. Number 1 can also be effective but is not guaranteed.
The Bottom Line
Security is a moving terrain and you constantly need to adjust to stay ahead. What worked in 2015 is no longer effective. The tools are there and there is no need for panic but you do need to expend some effort and financial resources to ensure that you stay up-to-date.
Another worrying development from these hackers is that in knowing that backup and recovery can be very effective, they have stopped focusing only on data deletion/encryption which is somewhat out of their control when faced with a backup. While that method is used in the first instance to extract a cash payment, once they get wind you are able to recover, they then resort to blackmailing you regarding releasing all your private documents on the internet. This threat is worse for some companies than others but given that pay-outs in 2020 were up 400% year-on-year, it would be fair to suggest this method is very effective. By far the best policy is to try to ensure they don’t get in in the first place.
There is a train of thought that goes: If Sony can be hacked, what chance do I have? I don’t like or have time for this approach. If you get hacked and you have taken reasonable steps, fair enough. But that day when you get hacked you really want to be able to look yourself in the mirror and know you actually had taken those reasonable precautions and not kicked them down the road. In almost every occasion I can think of, the people who are successfully attacked are those not taking security anywhere seriously enough.