Credential compromise has long been a leading cause of network security breaches, prompting more and more organizations to adopt multi-factor authentication (MFA) as a defense. While enabling MFA for all accounts is strongly encouraged and is a best practice, implementation details are important as attackers find ways around it.
One of the most popular ways is to spam an employee whose credentials have been compromised with MFA authorization requests until they get bored and approve the request through their authenticator app. This is a simple but effective technique known as MFA fatigue and was also used in the recent Uber breach.
Uber, LAPSUS$ and Past Violations
Uber suffered a security breach last week when a hacker gained access to some of its internal systems, including G-Suite, Slack, OpenDNS and bug bounty platform HackerOne. As the details of the hack came to light, some security researchers managed to speak to the hacker who seemed eager to take responsibility and share some details about how the attack was carried out.
In a conversation shared on Twitter by security researcher Kevin Beaumont, the hacker said, “I was spamming [an] employed with push auth for over an hour. I then contacted him on WhatsApp and claimed to be from Uber IT. I told him that if he wanted it to end, he had to accept it. Well, he accepted and I added my device.”
Uber has since partially confirmed this information, saying in a security incident update that the victim was an external Uber contractor who had his Uber credentials stolen after his device was infected with malware. The company believes the hacker likely bought the credentials from the dark web and launched the MFA fatigue attack.
“The attacker then made multiple attempts to log into the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one and the attacker logged in successfully.”
Uber also believes the attacker is associated with extortion group LAPSUS$, which has been responsible for breaches at various tech companies this year, including Microsoft, Cisco, Samsung, Nvidia and Okta. In March 2022, London police arrested seven people aged between 16 and 21 for their alleged involvement in the group and although LAPSUS$ activity had slowed since then, many researchers believed the group might have more branches and of members.
Uber said LAPSUS$ used similar techniques against its former victims. Indeed, the Okta breach that was claimed by LAPSUS$ was carried out by targeting a support engineer working for an external technical support provider called Sykes Enterprises, a subsidiary of Sitel. The incident was detected when attackers attempted to add a new authentication factor to the engineer’s account from a new location and the request was denied. Although it is not clear if MFA fatigue was attempted in this case, Telegram Screenshots show LAPSUS$ members discussing the technique.
“Smartcard login has no MFA,” one member told another. “Logging in with a password will issue an MFA via a phone call or authenticator app. However, there is no limit on the number of calls that can be made. Call the employee 100 times at 1am then they’re trying to sleep and more than likely after the employee accepts the initial call, you can go to the MFA enrollment portal and enroll another device.”
“Even Microsoft!” Said another user. “Able to connect to an employee’s Microsoft VPN from Germany and the US at the same time and they didn’t even seem to notice. He was also able to re-enroll in MFA twice.”
How MFA Fatigue Harnesses the Human Factor
Like social engineering, these MFA spam attacks capitalize on users’ lack of training and understanding of attack vectors. Getting a correct MFA is a balancing act. Being strict and invalidating sessions often results in frequent MFA prompts and employees may get fed up with them or consider them excessive – just something new to click on to get back to work. Then when MFA fatigue attacks occur and they are spammed with a lot of push notifications, they can just assume that the already annoying system is malfunctioning and they will accept the notification as they have many times before.
“Many MFA users are unfamiliar with this type of attack and would not understand if they were approving a fraudulent notification,” researchers from security firm GoSecure said in a blog post earlier this year. “Others just want it to go away and are just not aware of what they are doing because they approve similar notifications all the time. They can’t see through the ‘notification overload’ to spot the threat. “
On the other hand, if MFA policies are too lax, authenticated sessions take a long time, IP address changes don’t trigger new prompts, new MFA device registrations don’t trigger warnings, and organizations risk of not being alerted when something like an authentication token that has already passed the MFA check has been stolen. While Okta was temporarily breached, there is something positive to learn from the incident. Some of the company’s MFA policies worked and an alert was triggered when hackers attempted to enroll a new MFA device into the account.
How to Mitigate MFA Fatigue Attacks
Organizations need to both train their employees to detect these new attacks and implement technical controls to reduce the potential for MFA abuse. Restricting available MFA methods, applying rate limits for MFA requests, detecting location changes for authenticated users can mitigate some of these risks. If some authentication providers do not offer these controls, customers should request them.
“Seeing an increasing amount of abuse of multi-factor authentication ‘push’ notifications,” Steve Elovitz, an incident responder at Mandiant, said on Twitter in February. “Attackers just spam it until users approve it. Suggest disabling push in favor of PIN, or something like @Yubico for simplicity. In the meantime, alert about the volume of push attempts per account.”
“Yubico” refers to physical devices such as USB drives that use the FIDO2 authentication protocol to validate authentication requests and pass them to the application in a secure manner. Following the new Uber breach, Elovitz clarified that one-time passwords/codes (OTPs) are far from an ideal second factor, but they are better than push and that FIDO2-compliant implementations are obviously the best option.
Beaumont also echoed the advice to disable MFA push notifications and advises Azure and Office 365 customers to enable Microsoft’s new “number matching” MFA policy. The number matching option, which was added this year, requires the user to enter a number they received on the authentication page in their authenticator app. This is the reverse of the OTP method where the user types a code generated by their mobile authenticator app into the authentication page. It’s also much more secure than the authentication process triggering a push notification on the user’s phone that they just have to click “Yes”, or worse, call them in the middle of the night like the LAPSUS$ attackers suggested.
“When defending against MFA attacks of all kinds, it is important to mandate MFA whenever a personal profile is modified to prevent malicious actions from going undetected and to implement proactive reviews of risky events said Shay Nahari, VP of Red Team Services at CyberArk. in a blog post on recent techniques used in major social engineering attacks, including MFA fatigue. “Additionally, your SOC can leverage user behavior analysis to set contextual triggers that warn if abnormal behaviors are detected or block user authentication from suspicious IP addresses.”
Copyright © 2022 IDG Communications, Inc.