Multifactor Authentication is a strong defense to ward off hackers from taking over your account. But, as per a recent finding, two groups – Lapsus$ and SolarWinds seem to have created a dent in the way MFA works. In this post, we’ll discuss what this is all about and most importantly not all kinds of Multifactor Authentication are created equal.
A Little About Multifactor Authentication (MFA)
If you have activated Multifactor Authentication on your account, then, in addition to the username and password that you furnish while logging into your account, you also have to use an additional factor. This could be a one-time password that’s sent to your smartphone or on your email, a fingerprint, or a physical security key.
MFA Forms – An Overview
Not all MFAs are created equal as far as security is concerned. In the recent past, script kiddies like the Lapsus$ data extortion gang and the Cozy Bear – The threat actors behind the SolarWinds hack have been successful in breaking some MFA protection. They have used a technique known as MFA Prompt Bombing something that we will discuss a little later in this blog.
Before we discuss what MFA prompt bombing is, let’s first dive into 2 frameworks on which Multifactor Authentication is based –
- Old Forms of MFA: These are One Time Passwords (OTPs) that are sent via SMSs or push notifications sent to a phone or via mobile apps like Google Authenticator\. In this case, apart from entering your username and password, you also have to enter the One Time Password that was sent to you to complete the login process.
- FIDO2: These forms of MFA are relatively new but stronger than the older forms. These were developed by a consortium of companies to balance both ease of use and security of a user. So how’s FIDO2 different from the older forms? Here you have an option to use the cameras built into your device or finger readers or dedicated security keys. Such methods validate that the user is authorized to use the intended account.
What is MFA Prompt Bombing?
The concept of MFA Prompt Bombing, at the outset, shows how weak the older forms of MFA are.
Knowing the fact that many MFA providers let you receive a phone call to confirm the authentication or send push notifications as a second factor, threat actors in the past have issued multiple Multifactor Authentication requests to a user’s legitimate device. More specifically, as per Mandiant researchers, the threat actor Cozy Bear, which also goes under the names APT29, Nobelium, and Dukes used this technique.
But How On Earth Did The Threat Actors Rope In Victims To Tap On Authentication?
A member of Lapsus$ wrote on the group’s official Telegram channel – “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”
As we can see that the threat actor exploited the fact that no limit was placed on the number of calls that could be made. Furthermore, the requests are sent to the device unless and until the user accepts them, and then, once that happens the threat actor gains access to the user account.
Quite surprisingly (and alarmingly!), a LapSus$ member claimed to have duped a Microsoft employee. This member said “ Able to login to an employee’s Microsoft VPN from Germany and USA at the same time and they didn’t even seem to notice. Also was able to re-enroll MFA twice.”
Mike Grover, who is a seller of red-team hacking tools for security professionals said “fundamentally a single method that takes many forms: tricking the user to acknowledge an MFA request. ‘MFA Bombing’ has quickly become a descriptor, but this misses the more stealthy methods.” The methods include –
Want some techniques that many Red Teams have been using to circumvent MFA protections on accounts? Yeah, even “unphishable” versions.
I’m sharing so that you can think about what’s coming, how you’ll do mitigations, etc. Its being seen in the wild more these days.
— _MG_ (@_MG_) March 23, 2022
- Calling the target victim as a part of the company and asking them to send an MFA request as a part of the company process.
- Sending a bunch of MFA requests in the hope that the target victim finally gives in and accepts the request to stop the noise.
- Sending 1-2 per day. Here the chances of MFA request acceptance are still good.
Is the technique to dent MFA new? Probably not and one researcher pointed this out in one of the tweets –
Lapsus$ did not invent ‘MFA prompt bombing’ please stop crediting them with them as creating it.
This attack vector has been a thing used in real world attacks 2 years before lapsus was a thing
— Greg Linares (@Laughing_Mantis) March 25, 2022
So Does This Mean FIDO2 Is Full Proof Against Attacks?
To an extent, yes! That’s because in the case of FIDO2 the authentication needs the user’s device. MFA using FIDO2 forms are tied to a physical machine and can’t happen to one device that tries to give access to a different device.
But what if you drop your phone and break it, lose your key or somehow break the fingerprint reader present on your laptop? Or what if a hacker, tricks an IT administrator into resetting Multifactor Authentication and then enrolling a new device altogether? Also, what if FIDO2 compliant MFA is not an option in your case?
That’s when MFA prompt bombing in the case of FIDO2 Forms of Multifactor Authentication comes in –
- If reset backup mechanisms are used, attackers may pounce on this opportunity.
- Let’s say a company that uses FIDO2 forms of MFA relies on a third party for performing functions or managing the network. This third-party company uses weaker MFA forms to access the company’s networks. The whole purpose of FIDO2 is defeated here.
Nobelium was able to bypass FIDO2 based everywhere but in this case, the hackers were able to exploit the victim’s Active Directory where it was able to exploit the database tools which the admins use to create, delete or modify user accounts or assign them authorization privileges.
We’d like to reinstate the fact that with malicious actors developing stronger ways to thwart MFAs, stronger forms should be used. That being said, using an MFA is still an essential step toward the protection of your online accounts. If you liked what you read, do give this post a thumbs up and share your views in the comments section below.