Multi-factor authentication fatigue attacks are on the rise: How to defend against them
Credential compromise has long been a leading cause of network security breaches, leading more and more organizations to use multi-factor authentication (MFA) as a defense. While enabling MFA for all accounts is highly recommended and a best practice, the implementation details are important as attackers find ways to circumvent them.
One of the most popular methods is to spam an employee whose credentials have been compromised with MFA authorization requests until they get angry and approve the request through their authenticator app. It’s a simple but effective technique that has come to be known as MFA fatigue and was also used in Uber’s recent injury.
Uber, LAPSUS$ and previous violations
Uber suffered a security breach last week that allowed a hacker to gain access to some of its internal systems, including G-Suite, Slack, OpenDNS and bug bounty platform HackerOne. As details about the hack came to light, some security researchers managed to speak to the hacker, who seemed willing to take responsibility and share some details on how the attack was carried out.
In a conversation shared on Twitter by security researcher Kevin Beaumont, the hacker said, “I was spamming [an] Employees with push authentication for over an hour. I then contacted him via WhatsApp claiming to be from Uber IT. Told him if he wants it to stop, he has to accept it. And well, he agreed and I added my device.”
Uber has since partially confirmed this information, explaining in an update on a security incident that the victim was an external Uber contractor who had their Uber credentials stolen after their device was infected with malware. The company believes the hacker likely bought the credentials from the dark web and initiated the MFA fatigue attack.
“The attacker then repeatedly attempted to log into the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login permission request, which initially blocked access. Eventually, however, the contractor accepted one and the attacker successfully logged in.”
Uber also believes the attacker is linked to the LAPSUS$ ransomware group, which has been responsible for breaches at various tech companies this year, including Microsoft, Cisco, Samsung, Nvidia and Okta. In March 2022, London police arrested seven people, aged 16 to 21, for their alleged involvement with the group, and although LAPSUS$ activity has slowed since then, many researchers believed the group may have more branches and members.
Uber said LAPSUS$ used similar techniques against its previous victims. In fact, the octa breach claimed by LAPSUS$ was achieved by attacking a support engineer working for an outside technical support provider called Sykes Enterprises, a Sitel subsidiary. The incident was discovered when attackers attempted to add a new authentication factor to the technician’s account from a new location and the request was denied. While it is not clear if MFA fatigue was attempted in this case, Telegram Screenshots Show LAPSUS$ members discuss technology.
“Login with a smart card has no MFA,” says one member to another. “Password sign-in issues MFA through a phone call or authenticator app. However, there is no limit to the number of calls that can be made. Call the employee 100 times at 1am while they are trying to sleep and they will most likely accept. Once the agent answers the first call, you can access the MFA enrollment portal and enroll another device.”
“Even Microsoft!” says another user. “Can log into an employee’s Microsoft VPN from Germany and the US at the same time without them seeming to notice. Also, it was possible to re-register MFA twice.”
How MFA fatigue exploits the human factor
Like social engineering, these MFA spam attacks rely on users’ lack of training and understanding of attack vectors. Getting MFA right is a balancing act. Strict and invalid sessions often result in frequent MFA prompts, and employees may tire of them or see them as overkill – just something new to click through to continue their work. Then, when MFA fatigue attacks occur and they are overwhelmed with a large number of push notifications, they may simply assume that the already annoying system is not working properly and accept the notification as they have many times before.
“Many MFA users are unfamiliar with this type of attack and would not understand that they are authorizing a fraudulent notification,” researchers at security firm GoSecure said in a blog post earlier this year. “Others just want it to go away and are just not aware of what they are doing as they are constantly approving similar notifications. They can’t see through the ‘notification overload’ to spot the threat.”
On the other hand, if MFA policies are too lax, then authenticated sessions are long-lived, IP changes don’t trigger new prompts, new MFA device registrations don’t trigger alerts, and organizations run the risk of not being notified of something like an authentication token that already passed the MFA exam was stolen. Although Okta was temporarily injured, there is something positive to learn from the incident. Some of the company’s MFA policies worked and an alert was raised when hackers attempted to register a new MFA device for the account.
How to mitigate MFA fatigue attacks
Enterprises must both train their employees to detect these new attacks and put in place technical controls to reduce the potential for MFA abuse. Limiting available MFA methods, enforcing rate limits on MFA requests, and detecting location changes for authenticated users can mitigate some of these risks. If some authentication providers don’t offer these controls, customers should ask for them.
“In the face of increasing abuse of MFA instant ‘push’ notifications,” said Steve Elovitz, Incident Responder at Mandiant, said on Twitter in February. “Attackers just spam it until users agree. Suggest disabling push in favor of pin or something like @Yubico for simplicity. In the meantime, warn about the number of push attempts per account.”
“Yubico” refers to physical devices such as USB sticks that use the FIDO2 authentication protocol to validate authentication requests and transmit them to the application in a secure manner. After Uber’s new breach, Elovitz clarified that one-time passwords/pins (OTPs) are far from an ideal second factor, but they are better than push and that FIDO2-compliant implementations are obviously the best option.
Beaumont has also reiterated the advice to turn off MFA push notifications and advises Azure and Office 365 customers to enable Microsoft’s new MFA policy, “Number Matching.” The number matching option added this year requires the user to enter a number given on the authentication page into their authenticator app. This is the reverse of the OTP method, where the user enters a code generated by their mobile authenticator app into the authentication page. It’s also much more secure than the authentication process, which triggers a push notification on the user’s phone that they just have to click “yes,” or worse, call them in the middle of the night as the LAPSUS$ attackers have suggested .
“When protecting against MFA attacks of any type, it’s important to engage MFA whenever a personal profile is modified to prevent malicious actions from going unnoticed and to set up proactive reviews of risky events,” said Shay Nahari, VP Red Team Services at CyberArk in a blog post about current techniques used in large scale social engineering attacks, including MFA fatigue. “Additionally, your SOC can leverage user behavior analysis to set contextual triggers that notify when anomalous behavior is detected or block user authentication from suspicious IP addresses.”
Copyright © 2022 IDG Communications, Inc.