Multi-Factor Authentication (MFA) It is the most effective key defense against account takeover. User name and password, MFA ensures that additional factors such as fingerprints, physical security keys or one-time passwords must also be used before accessing the account. Nothing in this article should be construed as saying that MFA is not essential.
That said, some forms of MFA are more powerful than others, and recent events suggest that these weak forms are not a major obstacle for some hackers to solve. Suspected of the following script kiddies over the past few months Lapsus$ data extortion gang And Elite Russian State Threat Actors (Like a Cozy Bear SolarWinds Hack) both successfully defeated the protection.
Enter MFA prompt bombing
The strongest form of MFA is FIDO2, developed by a consortium of companies to balance security and simplicity of use. Gives users the option to verify that they have permission to access their account using the device’s built-in fingerprint reader or camera or a dedicated security key. MFA in the form of FIDO2 is relatively newToo many services for both consumers and large organizations have yet to adopt it.
This is where the older and weaker forms of MFA come in. This includes one-time passwords sent via SMS or generated by mobile apps like Google Authenticator or push prompts sent to your mobile device. When someone logs in with a valid password, they must enter their one-time password into a field on the login screen or press a button displayed on their phone screen.
According to recent reports, this is the last form of authentication bypassed. One group using this technique, according to Cozy Bear of the security company Mandiant is an elite group of hackers working for the Russian foreign intelligence service. This group is also used under the names Nobelium, APT29 and Dukes.
“Many MFA providers allow users to accept phone app push notifications or answer calls and press keys,” wrote researcher Mandiant. “that much [Nobelium] The threat actor used this to issue multiple MFA requests to the end user’s legitimate device until the user accepts authentication, allowing the threat actor to eventually gain access to the account.”
A member of Lapsus$ wrote on the group’s official Telegram channel, “There is no limit to the amount of money you can walk.” “If an employee makes 100 calls at 1:00 in the morning when they are about to go to sleep, they will accept it. After the employee accepts the initial call, they can access the MFA enrollment portal to enroll other devices.”
A Lapsus$ member claimed that the MFA prompt bombing technique was effective against Microsoft, and earlier this week a hacking group was able to gain access to the laptop of one of its employees.
“Even Microsoft!” someone wrote “In Germany and the US, we were able to log into our employees’ Microsoft VPN at the same time, but they didn’t seem to notice. We were also able to re-enroll MFA twice.”
Mike Grover, Red Team consultant who runs Twitter and seller of Red Team Hacking Tools for Security Professionals. _MG_, Ars said the technique is “essentially a single method that takes many forms. In other words, it tricks the user into confirming the MFA request. ‘MFA Bombing’ quickly became a descriptor, but it’s missing a more stealthy way.”
There are a growing number of nefarious methods beyond multi-factor authentication.
Source link There are a growing number of nefarious methods beyond multi-factor authentication.