How Hackers Are Still Beating Top Security Measures

An analysis by Microsoft in 2019 found that MFA can prevent 99.9% of account attacks. However, since then attackers have become adept at bypassing common MFA methods.

Codes sent by SMS can be intercepted by SIM swapping techniques.

Push notification requests can be compromised by ‘push notification fatigue’, whereby attackers swamp users with requests to hit ‘yes’ to a push notification access request.

Reverse proxy is an approach used to facilitate such bypass techniques – essentially the deployment of a proxy server between a target user and an impersonated website, allowing threat actors to capture their usernames, passwords and session cookies in real time.

Researchers have observed the development of off-the-shelf MFA bypass kits, making MFA bypass accessible to a wider range of threat actors.

Simply implementing MFA measures no longer guarantees the security of accounts because of these bypass techniques.

Stronger MFA methods, such as FIDO USF security keys, should be used to defend the most sensitive accounts, with methods like SMS and push notifications, proving much more susceptible to compromise.

Cyber threat actors have developed a wide variety of tools and techniques to evade and disable security tooling, allowing them to move laterally in networks without detection or disruption.

A Cisco Talos report highlighted how ransomware attackers prioritise defence evasion tactics to increase dwell time in victim networks, with the purpose of identifying the most sensitive data and systems.

Methods include disabling and modifying security software such as anti-virus programmes and endpoint detection solutions, and modifying system registries to disable security alerts.

A range of novel techniques have been utilised to enable such approaches. HP Wolf researchers reported in 2023 that QakBot malware campaigns are switching up different file types and techniques to bypass detection tools and security policies.

In February 2024, Picus Security highlighted a surge in the use of “hunter killer” malware, designed to seek out and disable enterprise security defences. This malware reportedly made up 26% of all detections in 2023.

This malware category is linked to three main MITRE ATT&CK techniques:

• Process Injection (T1055), which is about covertly embedding malicious activities in legitimate processes to evade detection tools
• Command and Scripting Interpreter (T1059), which sees attackers disguising their activity as normal system operations
• Impair Defences (T1562), which is an offensive capability in which threat actors directly target and disrupt the tools meant to protect networks

New forms of malware designed for security evasion and disablement purposes continue to emerge. Promon researchers highlighted a newly discovered banking malware, dubbed Snowblind, in June 2024.

This malware uses a “never-before-seen” technique to disable Android banking apps’ ability to determine if they have been maliciously modified, thereby avoiding detection. It does this by bypassing anti-tampering code in the Linux kernel feature ‘seccomp,’ by limiting the system calls or requests an application can make from the operating system.

Attackers’ ability to bypass security defences have evolved further to use security tools against themselves to help facilitate their campaigns.

In July 2024, Barracuda researchers observed phishing campaigns using URL protection services to disguise malicious phishing links. URL protection services are designed to protect users from visiting malicious websites via a phishing link.

In these novel attacks, threat actors gain entry to the URL protection service via compromised accounts, and leverage it to re-write their own phishing URLs, thereby concealing their malicious nature – essentially turning the service on itself.

In the same month, Cofense highlighted how threat actors are Secure Email Gateways (SEGs) by using SEG technology against itself. SEGs encode URLs that are embedded in emails, enabling the security appliance to scan the URL before the recipient visits the website.

The researchers reported an uptick in threat actors using SEG encoded URLs in phishing emails, with these tools often allowing the email though without checking the embedded URLs.

The growing trend of cyber threat actors developing new ways to overcome existing security tooling presents a major challenge to defenders. Security tools may appear to be working as expected, even if an attack has disabled or reconfigured them.

Cybersecurity professionals must adopt a mindset of continuous improvement, and never view any aspect of their defences as impregnable.

Penetration testing is essential in this environment, ensuring that all systems are regularly tested with rigour by experts trained in the latest techniques and tools, with updates and new solutions implemented rapidly.