What is Multi-Factor Authentication? And how does it work?
Multi-factor authentication typically requires a combination of something the user knows (pin, secret question), something you have (card, token) or something you are (finger print or other biometric).Businesses as well as individuals should implement MFA wherever possible. Some MFA options include, but are not limited to:
- Physical token
- Random pin
- Biometrics / fingerprint
- Authenticator app
Multi-Factor Authentication fatigue is a key factor in large companies such as Uber, how can you avoid this?
Earlier this week, Uber disclosed that the recent breach it suffered was made possible through a multi-factor authentication (MFA) fatigue attack where the attacker disguised themselves as Uber IT.
MFA attacks are a form of social engineering consisting in spamming a target with repeated MFA requests until they eventually authorize access. This kind of attacks is possible when the threat actor has gained access to corporate login credentials but cannot access the account due to multi-factor authentication.
How to mitigate MFA fatigue and learn from the Uber breach for additional protection
Step 1: Stolen credentials
It all starts with stolen credentials. It is far from difficult to get stolen credentials, which can be collected using phishing attacks, malware, or collected via data breaches. On dark web marketplaces, credentials can be purchased for various types of companies and large enterprises. With some hours of research it is simple to find the resources on the dark web where passwords can be purchased. And yes – also for the larger enterprises.
Hopefully, all companies are protected at least with MFA which makes the initial abuse a little harder. Currently reading this blog and no MFA configured – please enable it asap and don’t wait before the organization is breached for the first time. Without MFA it is only a matter of time until things go wrong.
Companies are currently heavily adopting multi-factor authentication to protect users to access threat actors without any additional verification. Multiple methods are available to bypass multi-factor authentication:
Step 2: MFA bypass/ Social engineering
- Stealing cookies via malware
- man-in-the-middle phishing Attacks ( Evilginx2)
Step 3: Access internal sources/ Cloud sources
When there is access with one of the MFA methods – there is a phase where the attacker is searching for internal sources which can be used for getting more sources.
For cloud-only environments: (Ideas for getting more access)
Validate of Okta is used
Check for Privileged Identity Toolings
Additional connected applications ( password toolings/ key-saves)
For on-premises environments: (Ideas for getting more access)
Connect with VPN
Sometimes Sharepoint or other intranet software will be used for scanning VPN/ Remote access manuals
When the VPN can be activated with the collected account – the attacker can discover more and scan the complete intranet.
Step 4: Discovery of the network
Step 4 is the initial discovery of the network. When there is access to cloud resources and on-premises intranet resources the discovery can start; searching for scripts/ passwords and additional credentials which results in access to other toolings.
The existing VPN access is used for pivot to the internal network. The internal network is often significantly less audited and evaluated in compared to external infrastructures. In comparison with Azure; there are in the cloud more built-in protection toolings. In all cases don’t trust the defaults and audit each possible way of access to internal/ external or cloud environments.
During the discovery, the attacker found an internal network share where scripts with privileged credentials were published. One of the PowerShell scripts contained the username and password for a Privilege Access Management (PAM) tooling (Thycotic) which results in access to other useful resources ( Duo, Onelogin, Slack, EDR portal (SentinelOne), AWS, GSuite, and many more).
Some of the apps can require MFA again – where the attacker registered a new phone – so the authentication can be easily approved without the employee.
What is MFA Fatigue
MFA Fatigue (Mitre ATT&CK T1612) is not new and used by many hacker groups. Example; Lapsus$ and Cozy Bear. MFA Fatigue is rising and used more often to gain access to corporate credentials and breach networks where MFA fatigue is now part of the mainstream toolbox.
MFA fatigue refers to the overload of prompts the victim would receive via MFA applications. The technique works when the threat actor already has credentials for a targeted account. Phishing, brute forcing, data breach, password spraying, dark web and many more techniques can be used to get the initial credentials.
Once the credentials are available the threat actor starts requesting approval for sign-in for the MFA application. With the goal – of overloading the amount of MFA prompts and wait before the user approved the request. When the user does not approve the initial MFA notifications – social engineering can be used to message the user, and ask via e-mail/ Teams or WhatsApp for approving the MFA request imposed as an IT support employee/ IT administrator.
Protect against stolen credentials
There are multiple products available for protecting passwords and scanning for stolen compromised passwords.
First some basics;
- Don’t forget to enable a Strong Password Policy across all systems and applications. When attackers cannot guess your strong password, they cannot send you multiple MFA requests.
- Disable Legacy Authentication
Azure AD Password Protection
Azure AD Password Protection supports different protections. Azure AD Password Protection can be used to prevent users from picking poor/easily guessable/compromises passwords.
Microsoft maintains a global banned password list with stored passwords which are too common. This list is for safety reasons not published, in Azure AD Password Protection it is possible to add custom banned passwords.