Multi-factor authentication (MFA) is a core defense that is among the most effective in preventing account takeover. In addition to requiring users to provide a username and password, MFA ensures that they must also use an additional factor, be it a fingerprint, physical security key, or one-time password, before they can access One account. Nothing in this article should be construed to mean that MFA is nothing more than essential.
That said, some forms of MFA are stronger than others, and recent events show that these weaker forms are not much of an obstacle for some hackers to take down. In recent months, suspected child writers like the Lapsus$ data extortion gang and elite Russian state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have successfully defeated protection.
Enter the MFA Rapid Blitz
The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies that balance the needs of security and simplicity of use. Give users the option to use fingerprint readers or cameras embedded in devices or dedicated security keys to confirm that they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many services for both consumers and large organizations have yet to adopt them.
That’s where the older and weaker forms of MFA come in. They include one-time passwords sent via SMS or generated by mobile apps like Google Authenticator or push notifications sent to a mobile device. When someone logs in with a valid password, they must also enter the one-time password in a field on the login screen or press a button displayed on their phone screen.
It is this latter form of authentication that, according to recent reports, is being overlooked. One group using this technique, according to security firm Mandiant, is Cozy Bear, a gang of elite hackers working for the Russian Foreign Intelligence Service. The group is also known by the names of Nobelium, APT29 and Dukes.
“Many MFA providers allow users to accept a push notification from the phone app or receive a phone call and press a key as a second factor,” the Mandiant researchers wrote. “The [Nobelium] The threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain account access.”
Lapsus$, a hacking gang that has breached Microsoft, Okta, and Nvidia in recent months, has also used the technique.
“There is no limit to the number of calls that can be made,” a Lapsus$ member wrote on the group’s official Telegram channel. “Call the employee 100 times at 1am while he’s trying to sleep and he’ll most likely take it. Once the employee accepts the initial call, they can access the MFA enrollment portal and enroll another device.”
The Lapsus$ member claimed that MFA’s rapid bombing technique was effective against Microsoft, which earlier this week said the hacking group was able to access the laptop of one of its employees.
“Even Microsoft!” the person wrote. “I was able to log into the Microsoft VPN of an employee from Germany and the US at the same time and he didn’t even seem to notice. I was also able to re-enroll in MFA twice.”
Mike Grover, a Red Team hacking tools vendor for security professionals and a Red Team consultant who uses the Twitter handle. _MG_, told Ars that the technique is “fundamentally a single method that takes many forms: tricking the user into acknowledging an MFA request. ‘MFA bombing’ has quickly become a descriptor, but this bypasses the most stealthy methods.”
- Sending out a bunch of MFA requests and hoping the target finally accepts one to stop the noise.
- Sending one or two notices per day. This method often draws less attention, but “there’s still a good chance the target will accept the MFA request.”
- Calling the target, pretending to be part of the company, and telling the target that they must submit an MFA request as part of a company process.
“Those are just a few examples,” Grover said, but it’s important to know that massive bombing is NOT the only form it takes.
in a Twitter thread, he wrote, “The red teams have been playing with variants of this for years. It has helped companies that are lucky enough to have a red team. But real-world attackers are moving on this faster than the collective posture of most companies has improved.”
Want some techniques that many red teams have been using to bypass MFA account protections? Yes, even “non-phishing” versions.
I share it so you can think about what is coming, how you will do the mitigations, etc. It’s being seen more in the wild these days.
– _MG_ (@_MG_) March 23, 2022
Other researchers were quick to point out that the MFA application technique is not new.
“Lapsus$ didn’t invent ‘MFA rapid bombing,’” Greg Linares, a red team pro, tweeted. “Please stop crediting them… as your creation. This attack vector has been a thing used in real world attacks 2 years before lapse was a thing.”
Lapsus$ did not invent ‘MFA rapid bombing’, please stop giving them credit for creating it.
This attack vector has been a thing used in real world attacks 2 years before lapse was a thing
— Greg Linares (@Laughing_Mantis) March 25, 2022