April 22, 2022
Recent Cyber Attacks Prove that MFAs are not All Created Equal
Within the past few months, two hacker groups, a data extortion gang known as Lapsu$ and elite Russian-state threat actors known as Cozy Bear, have successfully bypassed multifactor authentications (“MFA”). MFA is a defense mechanism companies and individuals use to prevent account takeovers. Users must provide their username and password as well as an additional factor (fingerprint, physical security key, or one-time password) before they can access their account. There are different forms of MFA, with some being more secure than others.
The strongest forms of MFA are based off a relatively new framework called FIDO2 which allows users to unlock cryptographic login credentials with built-in methods such as fingerprint readers or cameras on their devices. FIDO2 cryptographic login credentials are unique across every website and cannot be used to track users across sites. Credentials never leave a user’s device and are not stored on a server which eliminates risks of phishing, forms of password thefts and replay attacks. Given the relative newness of these forms of MFA, many consumers and organizations have not begun to use them.
In comparison, older forms of MFA give users the option of using one-time passwords sent through SMS or mobile apps like Google Authenticator push prompts. Users accept a phone app push notification or phone call and press a key to access their account. Malicious actors take advantage of this by issuing multiple MFA requests to a user’s device until the user accepts the authentication, allowing the threat actor to gain access to the account.
Lapsus$ has breached Microsoft, Okta, and Nvidia using this technique (which has been deemed MFA prompt-bombing) that allows them to consistently bombard users with calls until one is eventually accepted. “No limit is placed on the amount of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”
MFA prompt-bombing may include:
What does this mean for me and my firm?
While any form of MFA is better than no use of MFA, firms should strive to use FIDO2-based MFA to prevent data compromise and MFA prompt-bombing. FIDO Authentication can be accessed by online services via Web Authentication (“WebAuthn”). A standard web API can be built into browsers and related web platform infrastructure. Implementing FIDO Authentication varies by organization. Below are step-by-step guides to create security keys for common applications.
Below are some simple tips from KnowBe4, the world’s largest security platform, to stay safe from MFA scams.
If you have any questions about FIDO2-based MFA and how to protect your organization from these kinds of threats, Fairview Cyber can help. We provide essential cyber and data security services like phishing prevention training, network penetration testing, vendor due diligence, and more. Contact us today for more information about our services