Multi-factor authentication (MFA) is a core defense that’s among the most effective at preventing account takeovers. In addition to requiring users to provide a username and password, MFA ensures that they must also use an additional factor — be it a fingerprint, a physical security key, or a one-time password — before they can access an account. Nothing in this article should be construed as implying that MFA is anything but essential.
However, some forms of MFA are stronger than others, and recent events show that these weaker forms do not pose much of a hurdle for some hackers. Over the past few months, suspected script kiddies like the Lapsus$ data racketeering gang and elite Russian state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.
Enter MFA Prompt Bombing
The strongest forms of MFA are based on a framework called FIDO2, developed by a consortium of companies that balances security and usability needs. It gives users the ability to use fingerprint readers or cameras built into devices, or dedicated security keys to confirm that they are authorized to access an account. FIDO2 MFA forms are relatively new, so many services for both consumers and large organizations have yet to adopt them.
This is where older, weaker forms of MFA come into play. These include one-time passwords sent via SMS or generated by mobile apps like Google Authenticator, or push prompts sent to a mobile device. When someone logs in with a valid password, they must either enter the one-time password into a field on the login screen or press a button displayed on their phone’s screen.
According to recent reports, this last form of authentication is bypassed. A group using this technique according to for security firm Mandiant is Cozy Bear, a group of elite hackers working for Russia’s foreign intelligence agency. The group also goes by the names Nobelium, APT29 and Dukes.
“Many MFA providers allow users to accept a push notification from a phone app or receive a call and press a button as a second factor,” write the Mandiant researchers. “The [Nobelium] The attacker took advantage of this and made multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, eventually giving the attacker access to the account.”
Lapsus$, a gang of hackers who have breached Microsoft, Okta, and Nvidia in recent months, have also used the technique.
“There is no limit to the number of calls that can be made,” a Lapsus$ member wrote on the group’s official Telegram channel. “Call the employee 100 times at 1am while they are trying to sleep and they will most likely accept it. Once the agent answers the first call, you can access the MFA enrollment portal and enroll another device.”
The Lapsus$ member claimed that the MFA prompt bombing technique was effective against Microsoft, which said earlier this week that the hacking group was able to access the laptop of one of its employees.
“Even Microsoft!” the human wrote. “Possible to log into an employee’s Microsoft VPN from Germany and the US at the same time and they didn’t even seem to notice. Was also able to re-register MFA twice.”
Mike Grover, a seller of Red Team hacking tools for security professionals and a Red Team consultant who turns to Twitter _MG_, Ars said the technique is “basically a single method that takes many forms: getting the user to confirm an MFA request. ‘MFA bombing’ has quickly become a household name, but that misses the more stealthy methods.”
- Send out a series of MFA requests and hope the target finally accepts one to stop the noise.
- Send one or two prompts a day. This method often draws less attention, but “there’s still a good chance the target will accept the MFA request.”
- Call the target, pretend to be part of the company, and tell the target that a company process requires them to send an MFA request.
“These are just a few examples,” Grover said, but it’s important to realize that mass bombing is NOT the only form this takes.”
in one Twitter thread, he wrote: “Red teams have been playing variants of this for years. It has helped companies lucky enough to have a red team. But real attackers are advancing faster than the collective stance of most organizations has improved.”
Want some techniques that many Red Teams use to bypass account MFA protections? Yes, even “non-phishable” versions.
I’m sharing it so you can reflect on what’s to come, how to do damage control, etc. It’s seen more often in the wild these days.
— _MG_ (@_MG_) March 23, 2022
Other researchers were quick to point out that the MFA prompt technique is not new.
“Lapsus$ didn’t invent ‘MFA Prompt Bombing,'” said Greg Linares, a Red Team pro. tweeted. “Please stop attributing them… as creators. This attack vector was used in real attacks two years before Lapsus.”
Lapsus$ did not invent ‘MFA Prompt Bombing’, please stop attributing credit to them.
This attack vector was used in real attacks 2 years before Lapsus
— Greg Linares (@Laughing_Mantis) March 25, 2022