Analysis The September cyberattack on ride-hailing service Uber began when a criminal bought the stolen credentials of a company contractor on the dark web.
The miscreant then repeatedly tried to log into the contractor’s Uber account, triggering the two-factor login approval request that the contractor initially denied, blocking access. However, eventually the contractor accepted one of many push notifications, enabling the attacker to log into the account and get access to Uber’s corporate network, systems, and data.
The app maker became the latest high-profile victim of multi-factor authentication (MFA) fatigue, an ever growing cybersecurity problem in which attackers are able to work their way around a cornerstone of modern defenses at a time when threat groups are shifting their focus away from infecting endpoints and instead are targeting identity.
Microsoft and Cisco Systems were also victims of MFA fatigue – also known as MFA spamming or MFA bombing – this year, and such attacks are rising rapidly. According to Microsoft, between December 2021 and August, the number of multi-factor MFA attacks spiked. There were 22,859 Azure Active Directory Protection sessions with multiple failed MFA attempts last December. In August, there were 40,942.
A hole in MFA
MFA is among a number of security tools, such as zero-trust architectures, designed to protect enterprises from cyberthreats and the problem of employees inadvertently clicking on malicious email attachments or URLs designed to steal credentials, including the usernames and passwords needed for single-factor sign-ins. Another authentication factor is needed, ranging from fingerprint or facial recognition to a PIN or an answer to a security question.
There also are push notifications, which are prompts on a user’s mobile device if there is an attempt to use their credentials to sign into a system or account. The prompts ask for verification that the user is the one trying to sign in.
In an MFA fatigue situation, the attacker uses the stolen credentials to try to sign into an protected account over and over, overwhelming the user with push notifications. The user may initially tap on the prompt saying it isn’t them trying to sign in, but eventually they wear down from the spamming and accept it just to stop their phone going off. They may assume it’s a temporary glitch or an automated system causing the surge in requests.
Sometimes the attacker will pose as part of the organization’s IT staff, messaging the employee to accept the access attempt.
It’s all about human behavior
Like phishing and other attacks, MFA fatigue relies on social engineering to access the corporate network
“It’s an attack method which preys on the employee to be a human,” John Spiegel, director of strategy and field CTO for Axis Security, told The Register. “The intent is to get the victim to become frustrated with countless MFA requests and finally click ‘approve.’ We’ve all experienced something similar with technology. Whether it is as simple as programing the clock on a refrigerator or clicking through screens to accept all cookies to get to content we are after, we don’t always validate the request. That is what the bad actor is counting on.”
Threat groups run with MFA spamming
The attack is relatively simple but it’s been working for cyber-crime crews. The Yanluowang gang in May used it in an attack against Cisco and later published some of the stolen data on a dark web leak site. In March, the Lapsus$ group leaked 37GB of source code stolen from Microsoft after compromising an employee via MFA fatigue.
Then there was Uber, which put the blame on Lapsus$.
In a report updated in May, Google-owned Mandiant pointed to a couple of Russian teams using MFA spamming in their attacks. The threat also has caught the government’s attention. The US Cybersecurity and Infrastructure Security Agency (CISA) this week posted fact sheets highlighting the threats to MFA and how organizations can protect themselves.
“It’s a huge threat because it bypasses the security measures put in place by an organization, including one of the most effective, which is MFA,” Sami Elhini, biometrics specialist at Cerberus Sentinel, told The Register. “Enterprises need to pay attention to this, because like phishing, MFA fatigue is a form of social engineering.”
Enterprises relying more on MFA, zero trust
The attacks on MFA come as businesses, with the COVID-19 pandemic lifting, are adopting cloud-first and zero-trust models, which often rely on MFA to protect data and applications, Stephanie Aceves, senior director of products management at Tanium, told The Register.
“MFA fatigue poses a serious threat to organizations because it is a fairly trivial way for a patient attacker to gain access to private company resources,” Aceves said, noting that it targets the most significant risk to enterprises – people who can be manipulated.
Given this, what can enterprises do to protect themselves from MFA spamming attacks? As with other forms of social engineering, educating employees about the threat is important.
“People have been told they need to get rid of passwords and move to MFA, but they aren’t being told that the vast majority of MFA is easily phishable, as easy to steal or bypass as your password,” Roger Grimes, data-driven defense analyst for KnowBe4, told The Register. “All MFA users think they are far harder to attack than if they were using a password and this simply is not true.”
Because of this, users have not been given the least bit of “education about common types of attacks and how to recognize them, prevent them, and how to appropriately report. Literally, five minutes of education would make a world of difference.”
Patrick Tiquet, vice president of security and architecture, at Keeper Security, told The Register that organizations must recognize that not all MFA methods are susceptible to MFA fatigue attacks. Those that use push, SMS, or email are – and they are also less secure because they can be intercepted by a third party.
“MFA methods such as U2F [Universal 2 Factor], FIDO [Fast ID Online], WebAuthn, PIV/CAC, or time-based tokens are immune to MFA fatigue. Organizations should implement these MFA methods, where possible, to defend against MFA fatigue,” Tiquet said.
Number matching, request limits can help
Companies like Microsoft are taking steps too. Redmond, for instance, is making number matching a default feature in its Authenticator app. This requires a user who responds to an MFA push notification using the tool to type in a number that appears on their device’s screen to approve a login. The number will only be sent to users who have been enabled for number matching, according to Microsoft.
They’re also adding other features to Authenticator, including showing users what application they’re signing into and the location of the device, based on its IP address, that is being used for signing in. If the user is in California but the device is in Europe, that should raise a big red flag.
Duo in August also introduced number matching in its Duo Push app. The feature, which is in early access and called Verified Duo Push, requires users to enter a verification code to “ensure only verified users are able to log in, and prevent someone absent-mindedly accepting a push they did not request,” Joshua Terry, product manager at Duo, wrote in a blog post.
Okta also offers organizations what it calls a “number challenge” for push notifications with its Okta Verify tool.
CISA is encouraging organizations to implement anti-MFA phishing defenses or at least number tools.
“Although number matching is not as strong as phishing-resistant MFA, it is one of the best interim mitigations for organizations who may not immediately be able to implement phishing-resistant MFA,” the agency wrote.
Limiting the number of unsuccessful MFA authentication requests is another option. Okta limits that number to five; Microsoft and Duo offer organizations the ability to implement it in their settings and adjust the number of failed attempts before the user’s account is automatically locked. With Microsoft Authenticator, enterprises also can set the number of minutes before an account lockout counter is reset.
“At the end of the day, no model is perfect,” Tanium’s Aceves said. “As security experts, it is our responsibility to come up with controls and additional layers of defense to prevent attackers from accessing the data and resources we are tasked to protect.”
For some, passwordless is the eventual goal
For companies like Microsoft, Google, and Apple, a key step will be to get rid of passwords altogether. All three in May signed onto the common passwordless sign-in standard created by the FIDO Alliance and World Wide Web Consortium for everything from websites to apps and across devices and platforms.
However, broad adoption will take time. There are still legacy systems and applications that don’t support password-free authentication, but the eventual goal will be eliminating what has become a key weakness in the cybersecurity chain. Until then, strengthening passwords will continue to be important.
“Not all MFA is equal and cyber-awareness is critical, along with additional security controls such as privileged access management [that] can help reduce these risks, such as moving passwords into the background and ensuring each account has strong unique complex passwords,” Joseph Carson, chief security scientist and advisory CISO at Delinea, told The Register. ®