Credential compromise has been a leading cause of network security breaches for a long time, leading more organizations to adopt multi-factor authentication (MFA) as a defense. While enabling MFA for all accounts is highly recommended and a good practice, the implementation details are important because attackers are finding ways around it.
One of the most popular ways is to spam an employee whose credentials have been compromised with MFA authorization requests until they get angry and approve the request through their authenticator app. It’s a simple but effective technique known as MFA Fatigue, and it was also used in the recent Uber breach.
Uber, LAPSUS$ and past violations
Uber suffered a security breach last week when a hacker managed to gain access to some of its internal systems, including G-Suite, Slack, OpenDNS and the HackerOne bug bounty platform. As details about the attack emerged, some security researchers managed to speak with the hacker, who seemed eager to take responsibility and share some of the details about how the attack was carried out.
in a conversation shared on twitter by security researcher Kevin Beaumont, the hacker said, “I was spamming [an] employee with push authentication for more than an hour. I then contacted him on WhatsApp and claimed to be from Uber IT. I told him that if he wants it to stop, he must accept it. And well, he accepted and I added my device.”
Uber has since partially confirmed this information, saying in a security incident update that the victim was a third-party Uber contractor who had his Uber credentials stolen after his device was infected with malware. The company believes that the hacker likely purchased the credentials from the dark web and initiated the MFA fatigue attack.
“The attacker repeatedly tried to log into the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login approval request, which initially blocked access. However, eventually the contractor accepted one, and the attacker successfully logged in.”
Uber also believes the attacker is associated with extortion group LAPSUS$, which has been responsible for breaches at several tech companies this year, including Microsoft, Cisco, Samsung, Nvidia and Okta. In March 2022, London police arrested seven people between the ages of 16 and 21 for their alleged involvement with the group, and while LAPSUS$ activity has slowed since then, many researchers believed the group could have more branches. and members.
Uber said that LAPSUS$ has used similar techniques against its previous victims. In fact, the Okta breach that has been claimed by LAPSUS$ was achieved by targeting a support engineer who worked for a third-party technical support provider called Sykes Enterprises, a subsidiary of Sitel. The incident was detected when the attackers tried to add a new authentication factor to the engineer’s account from a new location and the request was rejected. While it is unclear whether MFA fatigue was attempted in that case, Telegram screenshots shows LAPSUS$ members discussing the technique.
“Login with smart card doesn’t have MFA,” one member tells another. “Login with password will issue MFA via phone call or authenticator app. However, there is no limit on the number of calls that can be made. Call the employee 100 times at 1am while trying to sleep and the most Likely to accept it. Once the employee accepts the initial call, they can access the MFA enrollment portal and enroll another device.”
“Even Microsoft!” says another user. “I was able to log into the Microsoft VPN of an employee from Germany and the US at the same time and they didn’t even seem to notice. I was also able to re-enroll MFA twice.”
How MFA fatigue exploits the human factor
Like social engineering, these MFA spam attacks are based on users’ lack of training and understanding of attack vectors. Getting MFA right is a balancing act. Being strict and invalidating sessions will often lead to frequent MFA prompts, and employees may tire of them or see them as overkill, just something new to click on to get back to work. Then, when MFA fatigue strikes and they get spammed with a slew of push notifications, they may just assume the already annoying system isn’t working properly and accept the notification like they did many times before.
“Many MFA users are not familiar with this type of attack and would not understand that they are endorsing a fraudulent notification,” researchers at security firm GoSecure said in a blog post earlier this year. “Others just want it to go away and just don’t know what they’re doing as they approve similar notifications all the time. They can’t see through ‘notification overload’ to detect the threat.”
On the other hand, if MFA policies are too lax, authenticated sessions are long-lived, IP changes do not trigger new prompts, new MFA device enrollments do not trigger warnings, and organizations risk not receiving alerts when something like an Authentication token has been stolen that has already passed MFA verification. While Okta was temporarily raped, there is something positive to be learned from the incident. Some of the company’s MFA policies worked and an alert was triggered when the hackers attempted to enroll a new MFA device to the account.
How to Mitigate MFA Fatigue Attacks
Organizations must train their employees to detect these new attacks and implement technical controls to reduce the potential for MFA abuse. Restricting the available MFA methods, enforcing rate limits for MFA requests, and detecting location changes for authenticated users can mitigate some of these risks. If some authentication providers do not offer these controls, clients must request them.
“Seeing an increasing amount of MFA push notification abuse,” Steve Elovitz, an incident responder with Mandiant, said on Twitter in February. “Attackers just spam it until users approve it. Suggest disabling pro-pin push, or something like @Yubico for simplicity. In the meantime, alert on volume of push attempts per account.”
“Yubico” refers to physical devices such as USB thumb drives that use the FIDO2 authentication protocol to validate authentication requests and securely transmit them to the Application. Following the new Uber security breach, Elovitz clarified that one-time passwords/pins (OTPs) are far from an ideal second factor, but they are better than pushing and that FIDO2-compliant implementations are obviously the better option.
Beaumont has also echoed the advice to disable MFA push notifications and advises Azure and Office 365 customers to enable Microsoft’s new “number matching” MFA policy. The number matching option, added this year, requires the user to enter a number they received on the authentication page in their authenticator app. This is the reverse of the OTP method where the user enters a code generated by their mobile authenticator app on the authentication page. It’s also much more secure than the authentication process that triggers a push notification on the user’s phone that they just need to click “Yes” or, even worse, call them in the middle of the night as the LAPSUS$ attackers suggested.
“When protecting against MFA attacks of all kinds, it’s important to require MFA every time a personal profile is changed to prevent malicious actions from going unnoticed and to set up proactive reviews of risk events,” said Shay Nahari, vice president of team services. red on CyberArk. in a blog post about recent techniques used in major social engineering attacks, including MFA fatigue. “In addition, your SOC can leverage user behavior analytics to set contextual triggers to notify you if anomalous behavior is detected or block user authentication from suspicious IP addresses.”
Copyright © 2022 IDG Communications, Inc.