The sinister way to defeat multi-factor authentication is on the rise

The sinister way to defeat multi-factor authentication is on the rise

Multi-Factor Authentication (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring users to provide a username and password, MFA ensures that they must use an additional factor—a fingerprint, a physical security key, or a one-time password—before they can access an account. Nothing in this article should be construed as an assertion that the MFA is anything but mainstream.

However, some forms of MFA are stronger than others, and recent events show that these weaker forms are not much of an obstacle for some hackers. Over the past few months, suspicious guys like the Lapsus$ data extortion gang and elite Russian state threats (like Cozy Bear, the group behind the SolarWinds hack) have successfully defeated the defenses.

Enter MFA Prompt Bombing

The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies to balance security and ease of use. It gives users the option to use fingerprint readers or cameras built into their devices, or special security keys, to verify that they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many services for both consumers and large organizations have not yet adopted them.

This is where older, weaker forms of MFA come into play. These include one-time passwords sent via SMS or generated by mobile apps such as Google Authenticator or targeted prompts sent to a mobile device. When someone logs in with a valid password, they must also either enter the one-time password in a field on the login screen or press a button displayed on their phone’s screen.

It’s this last form of authentication that recent reports say is being bypassed. One group using this technique, according to security firm Mandiant, is Cozy Bear, a group of elite hackers working for Russian foreign intelligence. The group also goes by the names Nobelium, APT29 and Dukes.

“Many MFA vendors allow users to accept a push notification from a phone app or receive a phone call and press a key as a second factor,” the Mandiant researchers wrote. “The [Nobelium] the threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.

Lapsus$, a hacking gang that has breached Microsoft, Okta and Nvidia in recent months, also uses the technique.

“There is no limit to the number of calls that can be made,” a Lapsus$ member wrote on the group’s official Telegram channel. “Call the employee 100 times at 1am while he’s trying to sleep and he’ll more than likely take it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

Leave a Reply

Your email address will not be published. Required fields are marked *