MFA Prompt-Bombing
Shedding light on techniques to abuse MFA, Ars Technica reports of a tactic known as MFA prompt-bombing. The tactic is used by threat groups Lapsus$ and APT29 (aka Nobelium, Dukes and Cozy Bear) to bypass MFA protection. MFA prompt-bombing affects older forms of MFA, ones that have been adopted prior to the latest FIDO2 framework. Attackers take advantage of MFA implementations that allow authentication through "push a button" verification on the user's MFA device. The technique has been used by APT29 in the previous SolarWinds compromise and Lapsus$ in their latest strings of data breaches; it was noted the Microsoft breach was achieved through this technique as well. Mandiant's explanation of the attack based on the SolarWinds compromise is “The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.” Threat actors abuse this method in various ways, either slow and subtle notifications, or a full bombardment of calls that bother the user during their sleep hours. As detailed in a Lapsus$ Telegram chat, “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.” FIDO2 implementation is not the full solution however, the string of compromises to large technology organizations should be a concern for any company and a continued reminder of the importance of a strong security framework.