Get in Touch Close Menu

The Rise of MFA Fatigue Attacks

24 October 2022

Within the last month, Sapphire has been tracking a trending attack vector known as ‘Multifactor Authentication (MFA) Fatigue’ (MITRE ID: T1621).

Several high-profile organisations, including Cisco Talos, Microsoft, and Uber, have been breached by threat actors who have successfully utilised this technique. Whilst MFA plays a significant part in strengthening an organisation’s cybersecurity posture, it is not a ‘silver bullet’.

Organisations of all sizes should be aware of this technique and how Managed Security Service Providers, like Sapphire, can assist with detection and prevention.

Research conducted by Microsoft concerning these attacks found that 1% of users would ‘blindly’ accept the first MFA push notification they receive on their mobile, regardless if it were the legitimate account owner that triggered it. Data shows that in August of 2022, 40,942 MFA Fatigue attacks were recorded, the most significant volume of any given month over the last two years.

What is MFA Fatigue?

MFA Fatigue is also being termed, in the cybersecurity world, as ‘MFA Spamming’, ‘MFA Bombing’ and ‘MFA Bypass’; however, the premise remains the same.

A threat actor, who has successfully obtained their victim’s compromised credentials (username and password), attempts to log in to the victim’s account. However, they must now bypass whatever MFA ‘wall’ is presented to them to gain access.

Typically, the threat actor can trigger a push notification, such as an ‘MFA Yes/No Prompt’ (shown right), in the hopes that their victim accepts this prompt (pictured below).

The effectiveness of this attack technique can be strengthened by increasing the frequency at which the user is sent MFA prompts. The threat actor’s goal is to send a significant enough volume of these requests that the victim eventually tires of receiving and clicks ‘Yes’ to stop the notifications.

Accompanying social engineering tactics have been reported, such as the threat actor impersonating a ‘Helpdesk’ email account asking that the victim accept the MFA prompt, further bolstering this attack’s success rate.

Due to the continued increase in remote working, MFA is a frequently utilised method of securing some Internet-exposed services. Threat actors who successfully perform MFA fatigue-style attacks to gain initial access to an organisation’s network typically proceed to move laterally and deploy additional tools to aid further compromise.

In the case of Cisco Talos, they reported the deployment of Impacket (packet interceptor), Mimikatz (credential stealer), PowerSploit (command injection), Cobalt Strike (command and control) and Team Viewer (remote access) tooling.

Recommendations

An immediate action that can typically reduce the likelihood of a successful attack would be to enable a ‘Push Notification with Number Challenge’ instead of a simple ‘Yes/No Push Notification Challenge’.

By doing so, end users must select a number from a selection of choices that matches what they see on the authentication page.

Since an attacker does not have visibility of this number, they cannot simply rely on a user hitting ‘Yes’ (as shown below).

Additionally, if users receive MFA Fatigue attack notifications, their credentials have been compromised, and their passwords should be reset as soon as possible. This ensures that the threat actor can no longer generate push notifications on the victim’s device.

How Can Sapphire Help You Against MFA Fatigue Attack?

Cyber Threat Intelligence Services

As part of Sapphire’s Cyber Threat Intelligence service, we provide customers with in-depth monthly (and ad-hoc) reporting on trending threat actor techniques, such as MFA Fatigue-style attacks, which pose a credible risk to their network. Here we can track trending methods and provide insight into the industries that may be targeted specifically.

Indicators of compromise can be gathered as soon as they become available and fed back into our Managed SIEM (Security Information and Events Management) service, providing a continuous feedback loop for detection opportunities.

Our Cyber Threat Intelligence aims to provide actionable information to customers that they can use to take proactive security measures to reduce the likelihood of a successful attack.

SIEM as a Service

The SOC Team can quickly create custom detection rules in response to emerging threats and threat actor techniques. To help detect Okta-based MFA Fatigue-style attacks, we have created the Rule ‘IA: Okta MFA Fatigue / Bypass Attempt’, which alerts our 24/7 Analysts to an account producing a suspicious volume of ‘MFA Prompt’ logs, which may be a precursor to an attack.

We can build additional detection and alerting capabilities by utilising the latest Indicators of Compromise (IOCs), as uncovered via our Threat Intelligence and OSINT sources.

An essential aspect of the MFA Bypass attacks was that the threat actor could gain access to the victim’s credentials in the first place. This is often possible if the victim’s account has been subject to a data breach.

Attackers will often scour credential leakage sites to find victims’ email addresses. Sapphire’s Analysts also have access to such tools, allowing us to alert customers before an attacker has a chance to put the credentials to use.

Single Sign-On and Multifactor Authentication

Products, processes and policies can be provisioned to help secure user identities and regulate user access in an organisation.

Security Awareness Training

Sapphire also delivers Phishing and Social Engineering awareness training

This can increase staff awareness of the threats posed by MFA Fatigue-style attacks. Where technical controls fail, a cyber-aware workforce can effectively link the chain as an additional barrier against successful attacks.

As always, a ‘Defence-in-Depth’ strategy is the best approach to defending an organisation against threat actors and with Sapphire’s combination of technical solutions and services, we continue to improve our customers’ cybersecurity posture.

MFA Fatigue Attacks

Learn how to defend your organisation against MFA Fatigue Attacks.

Contact a member of our team today.

I agree to the terms & conditions

Related Articles

How to Lower Cyber Insurance Premiums
16 November 2022

Cyber insurance, commonly referred to as cyber-liability insurance, is a type of insurance that aids in shielding organisations from the repercussions of hacking and cyberattacks. Cyber insurance can minimise the organisation disruption caused by a cyber incident and its aftermath with the help of cyber insurance policy coverage. It can also potentially cover some of the associated costs.  

Find Out More
CASE STUDY: FINTECH ORGANISATION
14 November 2022

To support its continued growth, a Fintech organisation wanted to show prospective clients evidence of its security maturity while protecting its infrastructure and achieving regulatory compliance with the Financial Conduct Authority (FCA).

Find Out More
What is Cyber Security Awareness Training?
9 November 2022

Security awareness training objective is to ensure that employees understand the role they can play in helping to enhance and enforce the organisations’ security. From understanding data protection requirements to being able to spot the telltale signs of a phishing email, your employees are your first and foremost defence against a security breach.

Find Out More
[class^="wpforms-"]
[class^="wpforms-"]
[wpforms id="5549" title="false"]
<div class="wpforms-container " id="wpforms-5549"><form id="wpforms-form-5549" class="wpforms-validate wpforms-form wpforms-ajax-form" data-formid="5549" method="post" enctype="multipart/form-data" action="/cybersecurity/the-rise-of-mfa-fatigue-attacks/" data-token="d0a937879c53802e01bddddbc8bd74b6"><noscript class="wpforms-error-noscript">Please enable JavaScript in your browser to complete this form.</noscript><div class="wpforms-field-container"><div id="wpforms-5549-field_0-container" class="wpforms-field wpforms-field-name" data-field-id="0"><label class="wpforms-field-label" for="wpforms-5549-field_0">Name <span class="wpforms-required-label">*</span></label><input type="text" id="wpforms-5549-field_0" class="wpforms-field-medium wpforms-field-required" name="wpforms[fields][0]" required></div><div id="wpforms-5549-field_7-container" class="wpforms-field wpforms-field-text" data-field-id="7"><label class="wpforms-field-label" for="wpforms-5549-field_7">Company name <span class="wpforms-required-label">*</span></label><input type="text" id="wpforms-5549-field_7" class="wpforms-field-medium wpforms-field-required" name="wpforms[fields][7]" required></div><div id="wpforms-5549-field_1-container" class="wpforms-field wpforms-field-email" data-field-id="1"><label class="wpforms-field-label" for="wpforms-5549-field_1">Company Email <span class="wpforms-required-label">*</span></label><input type="email" id="wpforms-5549-field_1" class="wpforms-field-medium wpforms-field-required" name="wpforms[fields][1]" required></div><div id="wpforms-5549-field_6-container" class="wpforms-field wpforms-field-select wpforms-field-select-style-classic" data-field-id="6"><label class="wpforms-field-label" for="wpforms-5549-field_6">Does your in-house security team have resourcing challenges?</label><select id="wpforms-5549-field_6" class="wpforms-field-medium" name="wpforms[fields][6]"><option value="Yes" >Yes</option><option value="No" >No</option></select></div><div id="wpforms-5549-field_4-container" class="wpforms-field wpforms-field-select wpforms-field-select-style-classic" data-field-id="4"><label class="wpforms-field-label" for="wpforms-5549-field_4">Are you able to react to security issues 24x7/365?</label><select id="wpforms-5549-field_4" class="wpforms-field-medium" name="wpforms[fields][4]"><option value="Yes" >Yes</option><option value="No" >No</option><option value="I would like to know more" >I would like to know more</option></select></div><div id="wpforms-5549-field_5-container" class="wpforms-field wpforms-field-select wpforms-field-select-style-modern" data-field-id="5"><label class="wpforms-field-label" for="wpforms-5549-field_5">Are you overwhelmed by the volume of intelligence data that requires managing?</label><select id="wpforms-5549-field_5" class="wpforms-field-small choicesjs-select" data-size-class="wpforms-field-row wpforms-field-small" data-search-enabled="" name="wpforms[fields][5]"><option value="" class="placeholder" disabled selected='selected'>Yes</option><option value="Yes" >Yes</option><option value="No" >No</option><option value="Would like to know more" >Would like to know more</option></select></div></div><div class="wpforms-recaptcha-container wpforms-is-recaptcha" ><div class="g-recaptcha" data-sitekey="6LfO758aAAAAAGglMpOikqgKzonFO7dwbtVEFaca"></div><input type="text" name="g-recaptcha-hidden" class="wpforms-recaptcha-hidden" style="position:absolute!important;clip:rect(0,0,0,0)!important;height:1px!important;width:1px!important;border:0!important;overflow:hidden!important;padding:0!important;margin:0!important;" required></div><div class="wpforms-submit-container" ><input type="hidden" name="wpforms[id]" value="5549"><input type="hidden" name="wpforms[author]" value="8"><input type="hidden" name="wpforms[post_id]" value="4996"><button type="submit" name="wpforms[submit]" class="wpforms-submit om-trigger-conversion" id="wpforms-submit-5549" value="wpforms-submit" aria-live="assertive" >Submit</button><img src="https://www.sapphire.net/wp-content/plugins/wpforms/assets/images/submit-spin.svg" class="wpforms-submit-spinner" style="display: none;" width="26" height="26" alt=""></div></form></div> <!-- .wpforms-container -->