Imagine that after a hard day’s work, you suddenly receive a multitude of multifactor authentication (MFA) prompts requesting that you accept. You must be thinking to yourself how annoying these notifications are. After declining a bulk of them, you suddenly tapped the “Approve” button to relieve all that stress of thinking it was probably maintenance work or an update. Have you realized what sort of consequences it will bring to yourself and the organization you are working for? Have you fathomed the extent of damage a simple tap of the “Approve” button can do and how you are subconsciously aiding a cybercriminal to take over your account and perform all sorts of nefarious actions against your organizations?
Strong authentication is becoming more widely used, which has led to an increase in multi-factor authentication (MFA) fatigue attacks, also known as MFA spamming. These attacks rely on the user's willingness to accept a straightforward voice, SMS, or push message that doesn't ask them to know the details of the session they are authenticating for. Users are doing basic approvals if they choose to “click to approve” or “enter your PIN to approve" rather than typing in a code they see on-screen.
An 18-year-old hacker going by the handle “Tea Pot” allegedly broke into Uber in September 2022, by using social engineering to convince an Uber employee to grant him account access and accept an MFA prompt, the hacker was able to register their own device. After establishing a base of operations, the attacker discovered Uber's internal network share, which held PowerShell scripts with admin privileges. This allow the hacker to gain access to AWS, Slack, and Google Cloud Platform, among other applications.
As part of the multi-factor authentication (MFA) fatigue attack strategy, attackers bombard a user's authentication app with push notifications in the hopes that they will accept, giving them access to the account or device.
The MFA fatigue attack chain unfolds as follows:
1. A MFA fatigue attack begins with user information readily available. The cybercriminal will already have access to the victim’s username and password. In most cases, the information is most likely sourced from phishing or social engineering, or credentials may have been exposed in a breach or stolen from the dark web.
2. The cybercriminal will then enter the stolen credentials in an attempt to sign in to the acquired account, which is protected by push MFA and will try multiple attempts until success.
3. After obtaining credentials illegally, the cybercriminal will use the credentials to access the target's account or device that uses push multi-factor authentication. Usually, the attacker will make several fast attempts to trigger the push notifications of the authenticating application. These push notifications may be delivered through desktop notification, email, or text message, but they are typically sent to the user's mobile device.
4. Now, the cybercriminal will rapidly send push alerts to the target in an effort to overload them. To ease the workload, the cybercriminal will automate the task by using a simple script. To further access the victim's account or device, the attacker wants the victim to click "Yes" and authenticate their identity. After some time of declining, the victim might assume it's a minor application issue or a test, or they can just be annoyed and want the messages to stop; thus, the victim will select ‘Approve’ in an effort to stop the notifications.
Here is an example of a MFA fatigue attack in real time, presented by GoSecure:
MFA fatigue attacks are a growing concern, and they are becoming widely popular in the current threat landscape as more cyber criminals, from state-sponsored to novices, utilize the technique in order to gain further access for their own personal motives. A Microsoft study has shown that over 382,000 MFA fatigue attacks took place in 2022.
As long as it continues to be effective, MFA fatigue will be a common tactic used by a number of cybercriminals. Lapsus$, a hacker group that is infamous for extortion schemes and has already targeted firms including NVIDIA, Samsung, and Microsoft, is one group that has made use of MFA fatigue for a number of high- profile attacks. It is unclear whether prompt spam was employed in all of these assaults because businesses do not always share complete information about security problems.
An attacker can use this initial access to compromise further accounts, collect and exfiltrate important organizational data, and possibly even launch ransomware to cause more damage to the organization's operations.
Of course, as we know, there are no bulletproof ways to protect yourself 100% securely against different cyberattacks. However, we can follow guidelines and best practices, whether it is an individual or an organization, to improve their security posture.
Here are the following ways to enable a better security posture to reduce the likelihood of a MFA fatigue attack:
We must take lessons from previous MFA fatigue attacks and ensure that we take good measures for any future events. Most importantly, we should educate ourselves to understand what to do and how to respond to that sort of attack without putting ourselves or the organization we work for at risk.
[1] https://explore.avertium.com/resource/mfa-breaches-and-mfa-fatigue
[2] https://www.beyondidentity.com/blog/mfa-fatigue-and-autofill
[3] https://www.okta.com/uk/blog/2022/09/mfa-fatigue-growing-security-concern/