The FBI is warning businesses about a new series of cyberattacks that can circumvent multi-factor authentication (MFA).
In a Private Industry Notification (PIN), the FBI warned businesses that “cyber actors” had been observed, “circumventing multi-factor authentication through common social engineering and technical attacks.” The report went on to describe several scenarios where hackers bypassed MFA protections, accessing target networks and stored data. The methods used were SIM swapping, phishing, and newer hacking tools such as Muraena and Necrobrowser.
Multi-factor authentication, where a user’s login and password is supplemented with a token, one-time access code, or other means of verification is widely regarded as an effective baseline for enterprise cybersecurity; a recent study by Microsoft stated that, when deployed properly, it can block 99.9% of attacks on businesses.
While the FBI still recommends multi-factor authentication, calling it a “strong and effective security measure to protect online accounts,” the PIN suggests boosting their effectiveness via workplace training to identify social engineering scams such as email-based phishing links and phony websites, as well as implementing more sophisticated forms of authentication.
Read the PIN here.