I want to know how they social engineered an employee at a 2FA-enabled company into bypassing 2FA.
Was the employee able to disable 2FA for their own account?
Was the employee social engineered into adding someone else's 2FA key to their account?
Did the employee read a 2FA code to the attacker, and that somehow enabled all the evil things the attacker did, without any additional checks or 2FA codes?
Did the attacker hack the employee's system and MITM their 2FA code without their knowledge? It doesn't sound like it, because that wouldn't be social engineering.
I wonder if it was something like DUO and employees were told to just hit approve.
Get employee's password
Call employee
"Hey [employee], I'm [coworker] from the security team and we noticed your DUO was locked. I just enabled it, but we want to make sure it works. Hit Approve when you get a notification."
That's why you need a phishing-resistant method of 2FA. U2F is phishing resistant. Any type of OTP, or anything that doesn't bind the user action to the url bar is susceptible to phishing. U2F has the computer verify the url bar so it's phishing-resistant.
I just find it ironic that the same people pushing for 2FA and arbitrary password rules are now saying "oh I guess 2FA is phishable"
The best defense against Phishing seems to be to hire competent people and to train them on that and to establish "No You-Know-Who-You're-Talking-To" policies, as if something gets failed to do by whomever that didn't follow security procedures (example: "CEO" asking for "urgent" favour) is not blamed
Too lazy to provide a link (sorry) but KrebsOnSecurity had some screenshots of a forum user offering up access to internal tooling. The access may have been deliberately sold, not necessarily coerced.
They probably got the reps to disclose the phone numbers by saying is this the right phone number? And then they made a SIM card for that number to get the 2FA text
P.S. I feel bad for the employees who were manipulated to give away the info.