A sinister way to beat multi-factor authentication is on the rise

Multi-factor authentication (MFA) is a core defense that is among the most effective in preventing account takeovers. In addition to requiring users to provide a username and password, MFA also requires them to use an additional factor, be it a fingerprint, physical security key, or one-time password, before they can access an account. Nothing in this article should be construed as saying that MFA is nothing but essential.

That said, some forms of MFA are stronger than others, and recent events show that these weaker forms are not such a big hurdle for some hackers. In the past few months, suspicious script kiddies like the Lapsus$ data extortion gang and elite Russian state threat actors (such as Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated protections.

Enter MFA Prompt Bombing

The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies to balance security and simplicity of use. It gives users the option to use fingerprint readers or cameras built into their devices or special security keys to confirm that they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many services for both consumers and large organizations have yet to adopt them.

That’s where older, weaker forms of MFA come in. They include one-time passwords sent via SMS or generated by mobile apps such as Google Authenticator or push prompts sent to a mobile device. When someone logs in with a valid password, they also have to enter the one-time password into a field on the login screen or press a button that appears on their phone’s screen.

It is this latter form of authentication that, according to recent reports, is being bypassed. One group using this technique, according to security firm Mandiant, is Cozy Bear, a group of elite hackers who work for Russia’s foreign intelligence agency. The group also goes by the names Nobelium, APT29 and the Dukes.

“Many MFA providers allow users to accept push notifications from a phone app or receive a phone call and press a key as a secondary factor,” Mandiant researchers wrote. “The [Nobelium] Threat actor took advantage of this and sent multiple MFA requests to the legitimate end-user device until the user accepted the authentication, ultimately allowing the threat actor to access the account.”

Lapsus$, a hacking gang that has hacked into Microsoft, Okta and Nvidia in recent months, has also used the technique.

“There is no limit to the number of calls that can be made,” a Lapsus$ member wrote on the group’s official Telegram channel. “Call the employee 100 times at 1am while he is trying to sleep, and he will most likely accept it. Once the employee accepts the first call, you can access the MFA enrollment portal and enroll another device.

The Lapsus$ member claimed the MFA prompt-bombing technique was effective against Microsoft, which earlier this week said the hacking group had access to the laptop of one of its employees.

“Even Microsoft!” the person wrote. “Could simultaneously log into an employee’s Microsoft VPN from Germany and the US and they didn’t even seem to notice. MFA was also able to re-register twice. †

Mike Grover, a Red Team hack tool salesman for security professionals and a Red Team consultant who follows the Twitter handle _MG_Ars said the technique is “essentially a single method that takes many forms: tricking the user into confirming an MFA request. ‘MFA Bombing’ has quickly become a descriptor, but it lacks the more covert methods.”

This post A sinister way to beat multi-factor authentication is on the rise

was original published at “https://www.wired.com/story/multifactor-authentication-prompt-bombing-on-the-rise”