Sapphire has been tracking a trending attack vector known as ‘Multifactor Authentication (MFA) Fatigue’ (MITRE ID: T1621).

Several high-profile organisations, including Cisco Talos, Microsoft, and Uber, have been breached by threat actors who have utilised this technique. Whilst MFA plays a significant part in strengthening an organisation’s cybersecurity posture, it is not a ‘silver bullet’.

Organisations should be aware of this technique and how Managed Security Service Providers, like Sapphire, can assist with detection and prevention.

Research conducted by Microsoft concerning these attacks found that 1% of users would ‘blindly’ accept the first MFA push notification they receive on their mobile (regardless if it were the legitimate account owner that triggered it).

Data from August 2022 showed 40,942 MFA Fatigue attacks were recorded, the most significant volume of any given month over the last two years.

What is MFA Fatigue?

MFA Fatigue is also being termed, in the cybersecurity world, as ‘MFA Spamming’, ‘MFA Bombing’ and ‘MFA Bypass’; however, the premise remains the same.

A threat actor, who has successfully obtained their victim’s compromised credentials (username and password), attempts to log in to the victim’s account. However, they must now bypass whatever MFA ‘wall’ is presented to them to gain access.

Typically, the threat actor can trigger a push notification, such as an ‘MFA Yes/No Prompt’ (shown right), in the hopes that their victim accepts this prompt (pictured below).

The effectiveness of this attack technique can be strengthened by increasing the frequency at which the user is sent MFA prompts. The threat actor’s goal is to send a significant enough volume of these requests that the victim eventually tires of receiving them and clicks ‘Yes’ to stop the notifications.

Accompanying social engineering tactics have also been reported.

For example the threat actor impersonates a ‘Helpdesk’ email account asking the victim to accept the MFA prompt, further bolstering this attack’s success rate.

Due to the continued increase in remote working, MFA is a frequently utilised method of securing some Internet-exposed services. Threat actors who successfully perform MFA fatigue-style attacks to gain initial access to an organisation’s network typically proceed to move laterally and deploy additional tools to aid further compromise.

In the case of Cisco Talos, they reported the deployment of Impacket (packet interceptor), Mimikatz (credential stealer), PowerSploit (command injection), Cobalt Strike (command and control) and Team Viewer (remote access) tooling.

Recommendations

An immediate action that can typically reduce the likelihood of a successful attack would be to enable a ‘Push Notification with Number Challenge’ instead of a simple ‘Yes/No Push Notification Challenge’.

By doing so, end users must select a number from a selection of choices that matches what they see on the authentication page.

Since an attacker does not have visibility of this number, they cannot simply rely on a user hitting ‘Yes’ (see below).

Additionally, if users receive notifications, their credentials have been compromised, and their passwords should be reset as soon as possible. This ensures that the threat actor can no longer generate push notifications on the victim’s device.

How Can Sapphire Help You Against MFA Fatigue Attack?

Cyber Threat Intelligence Services

As part of Sapphire’s Cyber Threat Intelligence service, our customers receive in-depth monthly (and ad-hoc) reporting on trending threat actor techniques that pose a risk to their network. Here we can track trending methods and provide insight into the industries that may be targeted specifically.

Indicators of compromise can be gathered as soon as they become available and fed back into our Managed SIEM service, providing a continuous feedback loop for detection opportunities.

Our Cyber Threat Intelligence aims to provide actionable information to customers that they can use to take proactive security measures to reduce the likelihood of a successful attack.

SIEM as a Service

The SOC Team can quickly create custom detection rules in response to emerging threats and threat actor techniques. To help detect Okta-based MFA Fatigue-style attacks, we have created the Rule ‘IA: Okta MFA Fatigue / Bypass Attempt’.

This alerts our 24/7 Analysts to an account producing a suspicious volume of ‘MFA Prompt’ logs – a precursor to an attack.

We can build additional detection and alerting capabilities by utilising the latest Indicators of Compromise (IOCs), as uncovered via our Threat Intelligence and OSINT sources.

An essential aspect of the MFA Bypass attacks was that the threat actor could gain access to the victim’s credentials in the first place. This is often possible if the victim’s account has been subject to a data breach.

Attackers will often scour credential leakage sites to find victims’ email addresses. Sapphire’s Analysts also have access to tools that alert customers before an attacker can put the credentials to use.

Single Sign-On and Multifactor Authentication

Products, processes and policies can be provisioned to help secure user identities and regulate user access in an organisation.

Security Awareness Training

Sapphire also delivers Phishing and Social Engineering awareness training. 

This can increase staff awareness of the threats posed by MFA Fatigue-style attacks. Where technical controls fail, a cyber-aware workforce can effectively link the chain as an additional barrier against successful attacks.

A ‘Defence-in-Depth’ strategy is the best approach to defending an organisation against threat actors. We continue improving our customers’ cybersecurity posture with Sapphire’s combination of technical solutions and services.