Multi-factor authentication fatigue attacks are on the rise: How to defend against them

LAPSUS$ is just one cybercriminal group that has breached networks of large companies such as Uber and Microsoft by spamming employees with MFA authentication requests.

Credential compromise has been one of the top causes for network security breaches for a long time, which has prompted more organizations to adopt multi-factor authentication (MFA) as a defense. While enabling MFA for all accounts is highly encouraged and a best practice, the implementation details matter because attackers are finding ways around it.

One of the most popular ways is spamming an employee whose credentials have been compromised with MFA authorization requests until they become annoyed and approve the request through their authenticators app. It's a simple yet effective technique that has become known as MFA fatigue and was also used in the recent Uber breach.

Uber, LAPSUS$ and past breaches

Uber suffered a security breach last week where a hacker managed to access some of its internal systems, including G-Suite, Slack, OpenDNS and HackerOne bug bounty platform. As details about the hack were coming to light, some security researchers managed to speak to the hacker who seemed eager to take responsibility and share some of the details about how the attack was performed.

In one conversation shared on Twitter by security researcher Kevin Beaumont, the hacker said: "I was spamming [an] employee with push auth for over an hour. I then contacted him on WhatsApp and claimed to be from Uber IT. Told him if he wants it to stop he must accept it. And well, he accepted and I added my device."

Uber has since partially confirmed this information, saying in a security incident update that the victim was an external Uber contractor who had his Uber credentials stolen after their device was infected with malware. The company believes the hacker likely bought the credentials from the dark web and initiated the MFA fatigue attack.

"The attacker then repeatedly tried to log into the contractor’s Uber account," the company said. "Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in."

Uber also believes the attacker is associated with the extortion group LAPSUS$, which has been responsible for breaches at various technology companies this year including Microsoft, Cisco, Samsung, Nvidia, and Okta. In March 2022, London police arrested seven individuals aged 16 to 21 for their alleged involvement with the group and while the LAPSUS$ activity has since slowed down, many researchers believed the group might have more branches and members.

Uber said that LAPSUS$ has used similar techniques against its past victims. Indeed, the Okta breach which has been claimed by LAPSUS$ was achieved by targeting a support engineer working for an external technical support provider called Sykes Enterprises, a subsidiary of Sitel. The incident was detected when attackers attempted to add a new authentication factor to the engineer's account from a new location and the request was declined. While it's not clear if MFA fatigue was attempted in that case, Telegram screenshots show LAPSUS$ members discussing the technique.

"Signin with smartcard doesn't have any MFA," one of the members tells another one. "Signin with password will issue MFA through a phone call or authentication app. However, no limit is placed on the amount of calls that can be made. Call the employee 100 times at 1am while he is trying to sleep and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device."

"Even Microsoft!," another user says. "Able to login to an employee's Microsoft VPN from Germany and the USA at same time and they didn't even seem to notice. Also was able to re-enroll MFA twice."

How MFA fatigue exploits the human factor

Like social engineering, these MFA spam attacks bank on users' lack of training and understanding of attack vectors. Getting MFA right is a balancing act. Being strict and invalidating sessions often will generate frequent MFA prompts and employees might grow tired of them or view them as excessive -- just something new to click through to resume their work. Then when MFA fatigue attacks happen and they're spammed with a large number of push notifications, they might just assume the already annoying system is malfunctioning and they'll accept the notification like they did many times before.

"Many MFA users are not familiar with this type of attack and would not understand they are approving a fraudulent notification," researchers from security firm GoSecure said in a blog post earlier this year. "Others just want to make it disappear and are simply not aware of what they are doing since they approve similar notifications all the time. They can’t see through the ‘notification overload’ to spot the threat."

On the other hand, if the MFA policies are too lax, then authenticated sessions are long-lived, IP changes don't trigger new prompts, new MFA device enrollments don't trigger warnings, and organizations risk not being alerted when something like an authentication token that already passed the MFA check has been stolen. While Okta was temporarily breached, there is something positive to learn from the incident. Some of the company's MFA policies worked and an alert was triggered when hackers attempted to enroll a new MFA device to the account.

How to mitigate MFA fatigue attacks

Organizations need to both train their employees to spot these new attacks and put technical controls in place to lower the potential for MFA abuse. Restricting available MFA methods, enforcing rate limits for MFA requests, detecting location changes for authenticated users can mitigate some of these risks. If some authentication providers don't offer these controls, customers should ask for them.

"Seeing an increasing amount of abuse of MFA prompt 'push' notifications," Steve Elovitz, an incident responder with Mandiant, said on Twitter in February. "Attackers are simply spamming it until the users approve. Suggest disabling push in favor of pin, or something like @Yubico for simplicity. In the meantime, alert on volume of push attempts per account."

“Yubico” refers to physical devices such as USB thumb drives that use the FIDO2 authentication protocol to validate authentication requests and transmit them to the application in a secure way. Following the new Uber breach, Elovitz clarified that one-time passwords/pins (OTPs) are far from an ideal second factor, but they are better than push and that FIDO2-compliant implementations are obviously the best option.

Beaumont has also echoed the advice to disable MFA push notifications and advises Azure and Office 365 customers to enable Microsoft's new "number-matching" MFA policy. The number-matching option, which was added this year, requires the user to input a number they received on the authentication page into their authenticator app. This is the reverse of the OTP method where the user types a code generated by their mobile authenticator app into the authentication page. It's also much safer than the authentication process triggering a push notification on the user's phone that they just need to click “Yes”, or worse, calling them in the middle of the night as the LAPSUS$ attackers suggested.

"When protecting against MFA attacks of all sorts, it’s important to mandate MFA anytime a personal profile is changed to keep malicious actions from going unnoticed, and set up proactive reviews of risky events," Shay Nahari, VP red team services at CyberArk, said in a blog post about recent techniques used in major social engineering attacks, including MFA fatigue. "Additionally, your SOC can leverage user behavior analytics to set contextual triggers that notify if anomalous behaviors are detected, or block user authentication from suspicious IP addresses."

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)