Multifactor authentication (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring users to provide a username and password, MFA ensures that they must also use an additional factor — be it a fingerprint, a physical security key, or a one-time password — before they can access an account. Nothing in this article should be construed as implying that MFA is anything but essential.
However, some forms of MFA are stronger than others, and recent events show that these weaker forms do not pose much of a hurdle for some hackers. Over the past few months, suspected script kiddies like the Lapsus$ data racketeering gang and elite Russian state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.
Enter MFA Prompt Bombing
The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies to balance security and usability. It gives users the ability to use fingerprint readers or cameras built into their devices, or dedicated security keys to confirm that they are authorized to access an account. FIDO2 forms of MFA are pretty newso many services for both consumers and large organizations have yet to be adopted.
This is where older, weaker forms of MFA come into play. This includes one-time passwords sent via SMS or generated by mobile apps like Google Authenticator, or push prompts sent to a mobile device. When someone logs in with a valid password, they must either enter the one-time password into a field on the login screen or press a button displayed on their phone’s screen.
According to recent reports, this last form of authentication is bypassed. A group using this technique according to for security firm Mandiant is Cozy Bear, a group of elite hackers working for Russia’s foreign intelligence service. The group also goes by the names Nobelium, APT29 and Dukes.
“Many MFA providers allow users to accept a push notification from a phone app or receive a call and press a button as a second factor,” write the Mandiant researchers. “That [Nobelium] The attacker took advantage of this and made multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, eventually giving the attacker access to the account.”
“There is no limit to the number of calls that can be made,” a Lapsus$ member wrote on the group’s official Telegram channel. “Call the employee 100 times at 1am while they are trying to sleep and they will most likely accept it. Once the agent answers the first call, you can access the MFA enrollment portal and enroll another device.”
The Lapsus$ member claimed that the MFA prompt bombing technique was effective against Microsoft, which said earlier this week that the hacking group was able to access the laptop of one of its employees.
“Even Microsoft!” the human wrote. “Possible to log into an employee’s Microsoft VPN from Germany and the US at the same time and they didn’t even seem to notice. Was also able to re-register MFA twice.”
Mike Grover, a seller of Red Team hacking tools for security professionals and a Red Team consultant who turns to Twitter _MG_, Ars said the technique is “basically a single method that takes many forms: getting the user to confirm an MFA request. ‘MFA bombing’ has quickly become a household name, but that misses the more stealthy methods.”