analysis September’s cyberattack on ride-hailing service Uber began when a criminal acquired a contractor’s stolen credentials on the dark web.
The rogue then repeatedly attempted to log into the contractor’s Uber account, triggering the two-factor login permission request, which the contractor initially denied, blocking access. Eventually, however, the contractor accepted one of many push notifications that allowed the attacker to log into the account and gain access to Uber’s corporate network, systems and data.
The app maker became the latest high-profile victim of multi-factor authentication (MFA), an ever-growing cybersecurity problem in which attackers are able to work their way around a cornerstone of modern defenses at a time when threat groups are shifting their focus away from infecting endpoints and instead target identity.
Microsoft and Cisco Systems have also been victims of MFA fatigue — also known as MFA spamming or MFA bombing — this year, and such attacks are growing rapidly. According to Microsoft, the number of multi-factor MFA attacks skyrocketed between December 2021 and August. Last December there were 22,859 Azure Active Directory Protection sessions with multiple failed MFA attempts. In August there were 40,942.
A hole in MFA
MFA is one of a number of security tools, such as B. Zero Trust architectures designed to protect organizations from cyber threats and the problem of employees accidentally clicking on malicious email attachments or URLs designed to steal credentials, including usernames required for single factor and Passwords Logins. Another authentication factor is needed, ranging from fingerprint or face recognition to a PIN to answering a security question.
There are also push notifications, which are prompts on a user’s mobile device when an attempt is made to log into a system or account using their credentials. The prompts ask for confirmation that the user is the one trying to log in.
In an MFA fatigue situation, the attacker uses the stolen credentials to repeatedly log into a protected account and overwhelms the user with push notifications. The user might initially tap the prompt and say they’re not trying to sign in, but eventually exhaust themselves by spamming and accept it, only to keep their phone from ringing. You can assume that it is a temporary glitch or an automated system that is causing the surge in requests.
Sometimes the attacker poses as part of the organization’s IT staff and prompts the employee to accept the access attempt.
It’s about human behavior
Like phishing and other attacks, MFA fatigue relies on social engineering to gain access to the corporate network
“It’s an attack vector that trickes the employee into being a human,” said John Spiegel, director of strategy and field CTO at Axis Security The registry. “The intention is to trick the victim into getting frustrated with countless MFA requests and finally clicking ‘Approve’. We’ve all experienced something similar with technology. Whether it’s as simple as programming the clock on a fridge or clicking through screens to accept all cookies to get to the content you want, we don’t always validate the request. That’s what the bad actor lists.”
Threat groups run with MFA spamming
The attack is relatively simple, but it has worked for cyber crime crews. The Yanluowang gang used it in an attack on Cisco in May and later released some of the stolen data on a dark web leak site. In March, the Lapsus$ group stole 37GB of source code stolen from Microsoft after it compromised an employee through MFA fatigue.
Then there was Uber blaming Lapsus$.
In a report updated in May, Google group Mandiant pointed to some Russian teams using MFA spamming in their attacks. The threat has also drawn government attention. The US Cybersecurity and Infrastructure Security Agency (CISA) this week released fact sheets highlighting the threats to MFA and how organizations can protect themselves.
“It’s a major threat because it bypasses the security measures put in place by an organization, including one of the most effective, which is MFA,” said Sami Elhini, biometrics specialist at Cerberus Sentinel The registry. “Companies need to pay attention because MFA fatigue, like phishing, is a form of social engineering.”
Companies that rely more on MFA, Zero Trust
The attacks on MFA come as enterprises adopt cloud-first and zero-trust models after the COVID-19 pandemic ends, which often rely on MFA to protect data and applications, said Stephanie Aceves, Senior Director of Product Management at Tanium The registry.
“MFA fatigue poses a serious threat to organizations because it’s a fairly trivial way for a patient attacker to gain access to private corporate resources,” Aceves said, noting that it targets the greatest risk to organizations – people, that can be manipulated.
With this in mind, what can organizations do to protect themselves from MFA spamming attacks? As with other forms of social engineering, it is important to educate employees about the threat.
“People have been told they need to ditch passwords and move to MFA, but they aren’t told that the vast majority of MFAs are easy to phish, as easy to steal or bypass as your password,” Roger Grimes, data- driven defense analyst for KnowBe4, narrates The registry. “All MFA users think they’re a lot harder to attack than using a password, and that’s just not true.”
Because of this, users have not had the slightest “education on common types of attacks and how to detect, prevent, and report them appropriately.” Literally five minutes of reconnaissance would make a huge difference.”
Patrick Tiquet, vice president of security and architecture at Keeper Security, narrates The registry that organizations need to recognize that not all MFA methods are vulnerable to MFA fatigue attacks. Those using push, SMS or email are – and they are – less secure because they can be intercepted by third parties.
“MFA methods like U2F [Universal 2 Factor]FIDO [Fast ID Online], WebAuthn, PIV/CAC, or time-based tokens are immune to MFA fatigue. Organizations should implement these MFA practices whenever possible to prevent MFA fatigue,” Tiquet said.
Number matching, request limits can help
Companies like Microsoft are also taking steps. Redmond, for example, is making number matching a standard feature in its authenticator app. To do this, when a user responds to an MFA push notification with the tool, they must enter a number that appears on their device’s screen to approve a sign-in. According to Microsoft, the number is only sent to users who have been activated for number matching.
They’re also adding other features to Authenticator, including showing users what application they’re signing into and the location of the device, based on its IP address, used to sign in. If the user is in California but the device is in Europe, that should raise a big red flag.
Duo also introduced number matching in its Duo Push app in August. The feature, which is in early access and is called Verified Duo Push, requires users to enter a verification code to “ensure that only verified users can sign in and to prevent anyone from absentmindedly accepting a push they don’t.” requested,” Joshua Terry, product manager at Duo, wrote in a blog post.
Okta also offers organizations what they call a “number challenge” for push notifications with its Okta Verify tool.
CISA encourages organizations to implement anti-MFA phishing mitigations, or at least multiple tools.
“While number matching isn’t as strong as phishing-resistant MFA, it’s one of the best interim measures for organizations that may not be ready to implement phishing-resistant MFA right away,” the agency wrote.
Limiting the number of unsuccessful MFA authentication requests is another option. Okta limits this number to five; Microsoft and Duo offer organizations the ability to implement it in their settings and customize the number of failed attempts before the user’s account is automatically locked out. Microsoft Authenticator also allows organizations to set the number of minutes before an account lockout counter is reset.
“At the end of the day, no model is perfect,” said Tanium’s Aceves. “As security professionals, it is our responsibility to develop controls and additional layers of defense to prevent attackers from accessing the data and resources we are designed to protect.”
For some, the ultimate goal is passwordless
Eliminating passwords altogether will be an important step for companies like Microsoft, Google, and Apple. All three signed the joint passwordless login standard in May, being developed by the FIDO Alliance and the World Wide Web Consortium for everything from websites to apps and across devices and platforms.
However, widespread acceptance will take some time. There are still legacy systems and applications that don’t support passwordless authentication, but the ultimate goal will be to eliminate what has become a key vulnerability in the cybersecurity chain. Until then, it will continue to be important to strengthen passwords.
“Not all MFAs are created equal and cyber awareness is key, along with additional security controls such as privileged access management [that] can help reduce these risks, for example by pushing passwords to the background and ensuring that each account has strong, unique, and complex passwords,” said Joseph Carson, senior security scientist and consulting CISO at Delinea The registry. ®
https://www.theregister.com/2022/11/03/mfa_fatigue_enterprise_threat/ Multi-factor authentication fatigue can shatter security • The Registry