Multi-Factor Authentication (MFA) is a core defense that is most effective at preventing account takeovers. In addition to requiring the user to provide a username and unlock password, MFA ensures that they also use an additional factor — be it a fingerprint, physical security key, or a one-time password — before they can access the account. Nothing in this article should be construed as MFA being anything other than essential.
That said, some forms of MFA are stronger than others, and recent events suggest that these weaker forms aren’t much of an obstacle for some hackers. In the past few months, children who write scripts have been suspected as Lapsus $ . data extortion gang and elite agents of the Russian state threat (like Cozy Bear, the group behind Hack SolarWinds) have successfully defeated the guard.
Enter MFA Prompt Bombing
The strongest forms of MFA are based on a framework known as FIDO2, developed by a consortium of companies to strike a balance between security and simplicity of use. It gives users the option of using their device’s built-in camera or fingerprint reader or a dedicated security key to confirm that they are authorized to access the account. The FIDO2 forms of the MFA are relatively newMany services for both consumers and large organizations have yet to adopt them.
That’s where the older, weaker forms of MFA come in. These include one-time passwords sent via SMS or generated by mobile apps like Google Authenticator, or push reminders sent to mobile devices. When someone logs in with a valid password, they must also enter a one-time password in a field on the login screen or press a button displayed on their phone screen.
This is the last form of authentication that recent reports say is being ignored. One group used this technique, according to for the security company Mandiant, is Cozy Bear, an elite group of hackers working for Russia’s Foreign Intelligence Service. The group is also named Nobelium, APT29 and Dukes.
“Many MFA vendors allow users to accept phone app push notifications or receive calls and keypresses as a second factor,” the Mandiant researchers wrote. “The [Nobelium] The threat actor took advantage of this and made multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to finally gain access to the account. . ”
Lapsus $a hacking gang has breached Microsoft, Oktaand Nvidia in recent months, have also used this technique.
“There is no limit to the number of calls that can be made,” wrote one Lapsus$ member on the group’s official Telegram channel. “Call the employee 100 times at 1 a.m. when he’s trying to sleep, and he’ll most likely accept. Once the agent accepts the initial call, you can go to the MFA registration portal and register another device.”
Member Lapsus$ claimed that the MFA rapid bomb technique was effective against Microsoft, earlier this week saying the attack group was able to gain access to the laptop of one of their employees.
“Even Microsoft!” who wrote. “It is possible to log into an employee’s Microsoft VPN from Germany and the US at the same time and they don’t even realize it. It is also possible to reapply for the MFA twice. ”
Mike Grover, who sells red team hacking tools to security experts and red team consultant who is in charge of Twitter _MG_, told Ars that the technique is “basically a single method that comes in many forms: tricking the user into confirming an MFA request. ‘MFA Bombing’ quickly became a descriptor, but this misses out on more stealthy methods. “
