Multi-factor authentication (MFA) is one of the most effective basic defenses to prevent account takeovers. In addition to requiring users to provide a username and password, MFA ensures that they must also use an additional factor, be it a fingerprint, security key physical or one-time password, before being able to access an account. Nothing in this article should be taken to mean that MFA is anything but essential.
That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of an obstacle for some hackers to overcome. In recent months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both managed to overcome the protection.
Enter the MFA Rapid Bombardment
The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies to balance security and ease of use. It gives users the option of using fingerprint readers or cameras built into their devices or dedicated security keys to confirm that they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many consumer services and large organizations have yet to adopt them.
This is where the older, weaker forms of MFA come in. They include one-time passwords sent via text message or generated by mobile apps such as Google Authenticator or push prompts sent to a mobile device. When someone signs in with a valid password, they must also type the one-time password in a field on the sign-in screen or press a button displayed on their phone screen.
It is this latter form of authentication that, according to recent reports, is being circumvented. One group using this technique, according to security firm Mandiant, is Cozy Bear, a group of elite hackers working for the Russian Foreign Intelligence Service. The group also goes by the names of Nobelium, APT29 and the Dukes.
“Many MFA providers allow users to accept a phone app push notification or receive a phone call and press a key as a second factor,” Mandiant researchers wrote. “The [Nobelium] The threat actor took advantage of this and sent multiple MFA requests to the end user’s legitimate device until the user accepted authentication, eventually allowing the threat actor access of the account.
Lapsus$, a hacking gang that has hacked into Microsoft, Okta, and Nvidia in recent months, has also used this technique.
“There is no limit on the number of calls that can be made,” wrote a Lapsus$ member on the group’s official Telegram channel. “Call the employee 100 times at 1am while they’re trying to sleep, and they’ll most likely accept it. Once the employee accepts the initial call, you can go to the MFA enrollment portal and enroll another device.”
The Lapsus$ member claimed the MFA’s rapid bombing technique was effective against Microsoft, which earlier this week said the hacking group gained access to the laptop of one of its employees.
“Even Microsoft!” the person wrote. “Able to connect to an employee’s Microsoft VPN from Germany and the US at the same time and they didn’t even seem to notice. I was also able to re-enroll in the MFA twice.
Mike Grover, a Red Team hacking tool vendor for security professionals and a Red Team consultant who goes by the Twitter handle _MG_, told Ars that the technique is “basically a single method that takes many forms: tricking the user into acknowledging an MFA request. “MFA Bombing” quickly became a descriptor, but it misses the most stealthy methods.