Analysis The September cyberattack on ride-hailing service Uber began when a criminal bought the stolen credentials of a company contractor on the dark web.
The miscreant then repeatedly tried to log into the contractor’s Uber account, triggering the two-factor login approval request that the contractor initially denied, blocking access. However, eventually the contractor accepted one of many push notifications, enabling the attacker to log into the account and get access to Uber’s corporate network, systems, and data.
The app maker became the latest high-profile victim of multi-factor authentication (MFA) fatigue, an ever growing cybersecurity problem in which attackers are able to work their way around a cornerstone of modern defenses at a time when threat groups are shifting their focus away from infecting endpoints and instead are targeting identity.
Microsoft and Cisco Systems were also victims of MFA fatigue – also known as MFA spamming or MFA bombing – this year, and such attacks are rising rapidly. According to Microsoft, between December 2021 and August, the number of multi-factor MFA attacks spiked. There were 22,859 Azure Active Directory Protection sessions with multiple failed MFA attempts last December. In August, there were 40,942.
A hole in MFA
MFA is among a number of security offerings designed to protect enterprises from cyberthreats and the problem of employees inadvertently clicking on malicious email attachments or URLs designed to steal credentials, including the usernames and passwords needed for single-factor sign-ins. Another authentication factor is needed, ranging from fingerprint or facial recognition to a PIN or an answer to a security question.
There also are push notifications, which are prompts on a user’s mobile device if there is an attempt to use their credentials to sign into a system or account. The prompts ask for verification that the user is the one trying to sign in.
In an MFA fatigue situation, the attacker uses the stolen credentials to try to sign into an protected account over and over, overwhelming the user with push notifications. The user may initially tap on the prompt saying it isn’t them trying to sign in, but eventually they wear down from the spamming and accept it just to stop their phone going off. They may assume it’s a temporary glitch or an automated system causing the surge in requests.
An IT department could, if possible, introduce a policy that blocks a user from logging in, and ending the MFA spam, after a certain number of failed second-factor authentication requests. That rule could be exploited to lock out employees as a form of denial-of-service attack. The worker may also accidentally or wrongly accept the request before the limit is reached. On the other hand, the benefits may outweigh these negatives, so this option is there for you to consider.
That said, sometimes the attacker will pose as part of the organization’s IT staff, messaging the employee to accept the access attempt.
MFA fatigue relies on social engineering, as well as any shortcomings in the system design, to access the corporate network.
“It’s an attack method which preys on the employee to be a human,” John Spiegel, director of strategy and field CTO for Axis Security, told The Register.
“The intent is to get the victim to become frustrated with countless MFA requests and finally click ‘approve.’ We’ve all experienced something similar with technology. Whether it is as simple as programming the clock on a refrigerator or clicking through screens to accept all cookies to get to content we are after, we don’t always validate the request. That is what the bad actor is counting on.”
Threat groups run with MFA spamming
The attack is relatively simple and it’s been working for cyber-crime crews. Spamming MFA works against a decent number of teams. The Yanluowang gang in May used it in an attack against Cisco and later published some of the stolen data on a dark web leak site. In March, the Lapsus$ group leaked 37GB of source code stolen from Microsoft after compromising an employee via MFA fatigue.
Then there was Uber, which put the blame on Lapsus$.
In a report updated in May, Google-owned Mandiant pointed to a couple of Russian teams using MFA spamming in their attacks. The threat also has caught the government’s attention. The US government’s Cybersecurity and Infrastructure Security Agency (CISA) this week posted fact sheets highlighting the threats to MFA and how organizations can protect themselves.
“It’s a huge threat because it bypasses the security measures put in place by an organization, including one of the most effective, which is MFA,” Sami Elhini, biometrics specialist at Cerberus Sentinel, told The Register.
“Enterprises need to pay attention to this, because like phishing, MFA fatigue is a form of social engineering.”
Enterprises relying more on MFA, zero trust
The attacks on MFA come as businesses, with the COVID-19 pandemic lifting, are adopting cloud-first and zero-trust models, which ought to rely on MFA to help protect data and applications, Stephanie Aceves, senior director of products management at Tanium, told The Register.
“MFA fatigue poses a serious threat to organizations because it is a fairly trivial way for a patient attacker to gain access to private company resources,” Aceves said, noting that it targets the most significant risk to enterprises – people who can be manipulated.
Given this, what can enterprises do to protect themselves from MFA spamming attacks? Educating employees about the threat is important – such as teaching them how to identify and handle MFA request surges – but it isn’t the full and only solution.
Ensuring authentication apps can’t be fat-fingered and requests wrongly accepted before they can be fully evaluated, for instance, would be handy. Adding intelligent handling of logins, so that there’s a cooling off period after a bout of MFA spam, is, again, useful, too.
And on top of this, some forms of MFA, such as one-time authentication tokens, can be phished along with usernames and passwords to allow a miscreant to login as their victim. Finding and implementing a phish-resistant MFA approach is something worth thinking about.
“People have been told they need to get rid of passwords and move to MFA, but they aren’t being told that the vast majority of MFA is easily phishable, as easy to steal or bypass as your password,” Roger Grimes, data-driven defense analyst for KnowBe4, told The Register.
Thus as well as shoring up your MFA deployment, it’s still important to give users an “education about common types of attacks and how to recognize them, prevent them, and how to appropriately report. Literally, five minutes of education would make a world of difference.”
And just as important as education and authentication defenses, you need to architect your systems and networks so that if or when someone does fall for a phish, the security breach is contained as much as possible and is detected as early as possible.
Some companies are on the ball. Microsoft, for instance, is making number matching a default feature in its Authenticator app. This requires a user who responds to an MFA push notification using the tool to type in a number that appears on their device’s screen to approve a login. The number will only be sent to users who have been enabled for number matching, according to Microsoft.
They’re also adding other features to Authenticator, including showing users what application they’re signing into and the location of the device, based on its IP address, that is being used for signing in. If the user is in California but the device is in Europe, that should raise a big red flag. That also ought to be automatically caught by authentication systems, too.
Duo in August also introduced number matching in its Duo Push app. The feature, which is in early access and called Verified Duo Push, requires users to enter a verification code to “ensure only verified users are able to log in, and prevent someone absent-mindedly accepting a push they did not request,” Joshua Terry, product manager at Duo, wrote in a blog post.
Okta also offers organizations what it calls a “number challenge” for push notifications with its Okta Verify tool.
CISA is encouraging organizations to implement anti-MFA-phishing defenses or at least number tools.
“Although number matching is not as strong as phishing-resistant MFA, it is one of the best interim mitigations for organizations who may not immediately be able to implement phishing-resistant MFA,” the agency wrote.
As to limiting the number of unsuccessful MFA authentication requests: Okta limits that number to five; Microsoft and Duo offer organizations the ability to implement it in their settings and adjust the number of failed attempts before the user’s account is automatically locked. With Microsoft Authenticator, enterprises also can set the number of minutes before an account lockout counter is reset.
“At the end of the day, no model is perfect,” Tanium’s Aceves said. “As security experts, it is our responsibility to come up with controls and additional layers of defense to prevent attackers from accessing the data and resources we are tasked to protect.”
For some, passwordless is the eventual goal
For companies like Microsoft, Google, and Apple, a key step will be to get rid of passwords altogether. All three in May signed onto the common passwordless sign-in standard created by the FIDO Alliance and World Wide Web Consortium for everything from websites to apps and across devices and platforms.
However, broad adoption will take time. There are still legacy systems and applications that don’t support password-free authentication, but the eventual goal will be eliminating what has become a key weakness in the cybersecurity chain. Until then, strengthening passwords will continue to be important.
“Not all MFA is equal and cyber-awareness is critical, along with additional security controls such as privileged access management [that] can help reduce these risks, such as moving passwords into the background and ensuring each account has strong unique complex passwords,” Joseph Carson, chief security scientist and advisory CISO at Delinea, told The Register. ®