Recent Cyber Attacks Prove that MFAs are not All Created Equal

April 22, 2022

Recent Cyber Attacks Prove that MFAs are not All Created Equal

WHAT HAPPENED?

Within the past few months, two hacker groups, a data extortion gang known as Lapsu$ and elite Russian-state threat actors known as Cozy Bear, have successfully bypassed multifactor authentications (“MFA”). MFA is a defense mechanism companies and individuals use to prevent account takeovers. Users must provide their username and password as well as an additional factor (fingerprint, physical security key, or one-time password) before they can access their account. There are different forms of MFA, with some being more secure than others.

The strongest forms of MFA are based off a relatively new framework called FIDO2 which allows users to unlock cryptographic login credentials with built-in methods such as fingerprint readers or cameras on their devices. FIDO2 cryptographic login credentials are unique across every website and cannot be used to track users across sites. Credentials never leave a user’s device and are not stored on a server which eliminates risks of phishing, forms of password thefts and replay attacks. Given the relative newness of these forms of MFA, many consumers and organizations have not begun to use them.

In comparison, older forms of MFA give users the option of using one-time passwords sent through SMS or mobile apps like Google Authenticator push prompts. Users accept a phone app push notification or phone call and press a key to access their account. Malicious actors take advantage of this by issuing multiple MFA requests to a user’s device until the user accepts the authentication, allowing the threat actor to gain access to the account.

Lapsus$ has breached Microsoft, Okta, and Nvidia using this technique (which has been deemed MFA prompt-bombing) that allows them to consistently bombard users with calls until one is eventually accepted. “No limit is placed on the amount of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

MFA prompt-bombing may include:

• Sending numerous MFA requests to deceive the target into accepting a request to make the noise stop.
• Sending up to two MFA requests per day. While this method often attracts less attention, there is still a chance that the target will accidentally accept the MFA request.
• Fraudulently call the target with instructions to accept an MFA request being conducted as part of a firm update.

What does this mean for me and my firm?

While any form of MFA is better than no use of MFA, firms should strive to use FIDO2-based MFA to prevent data compromise and MFA prompt-bombing. FIDO Authentication can be accessed by online services via Web Authentication (“WebAuthn”). A standard web API can be built into browsers and related web platform infrastructure. Implementing FIDO Authentication varies by organization. Below are step-by-step guides to create security keys for common applications.

• Duo Guide to Two-Factor Authentication
• Google: Use a security key for 2-Step Verification
• Windows: Enable security keys for Windows sign-in

Below are some simple tips from KnowBe4, the world’s largest security platform, to stay safe from MFA scams.

• Never approve an MFA notification you did not request.
• If you receive an MFA notification for an account you are not currently trying to log in to, immediately change your password.
• Implement a password policy that requires use of unique, strong passwords for each online account. If your password is not compromised, cybercriminals cannot scam you with MFA notifications.
  • Strong passwords should be at least 8 characters in length and contain characters from three of the following categories:
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Base 10 digits (0 through 9)
    • Non-alphabetic characters (for example, !, $, #, %)

If you have any questions about FIDO2-based MFA and how to protect your organization from these kinds of threats, Fairview Cyber can help. We provide essential cyber and data security services like phishing prevention training, network penetration testing, vendor due diligence, and more. Contact us today for more information about our services