Imagine that after a hard day’s work, you suddenly receive a multitude of multifactor authentication (MFA) prompts requesting that you accept. You must be thinking to yourself how annoying these notifications are. After declining a bulk of them, you suddenly tapped the “Approve” button to relieve all that stress of thinking it was probably maintenance work or an update. Have you realized what sort of consequences it will bring to yourself and the organization you are working for? Have you fathomed the extent of damage a simple tap of the “Approve” button can do and how you are subconsciously aiding a cybercriminal to take over your account and perform all sorts of nefarious actions against your organizations?

Strong authentication is becoming more widely used, which has led to an increase in multi-factor authentication (MFA) fatigue attacks, also known as MFA spamming. These attacks rely on the user's willingness to accept a straightforward voice, SMS, or push message that doesn't ask them to know the details of the session they are authenticating for. Users are doing basic approvals if they choose to “click to approve” or “enter your PIN to approve" rather than typing in a code they see on-screen.

An 18-year-old hacker going by the handle “Tea Pot” allegedly broke into Uber in September 2022, by using social engineering to convince an Uber employee to grant him account access and accept an MFA prompt, the hacker was able to register their own device. After establishing a base of operations, the attacker discovered Uber's internal network share, which held PowerShell scripts with admin privileges. This allow the hacker to gain access to AWS, Slack, and Google Cloud Platform, among other applications.

Modus Operandi

As part of the multi-factor authentication (MFA) fatigue attack strategy, attackers bombard a user's authentication app with push notifications in the hopes that they will accept, giving them access to the account or device.

The MFA fatigue attack chain unfolds as follows:

• 1. A MFA fatigue attack begins with user information readily available. The cybercriminal will already have access to the victim’s username and password. In most cases, the information is most likely sourced from phishing or social engineering, or credentials may have been exposed in a breach or stolen from the dark web.


• 2. The cybercriminal will then enter the stolen credentials in an attempt to sign in to the acquired account, which is protected by push MFA and will try multiple attempts until success.


• 3. After obtaining credentials illegally, the cybercriminal will use the credentials to access the target's account or device that uses push multi-factor authentication. Usually, the attacker will make several fast attempts to trigger the push notifications of the authenticating application. These push notifications may be delivered through desktop notification, email, or text message, but they are typically sent to the user's mobile device.


• 4. Now, the cybercriminal will rapidly send push alerts to the target in an effort to overload them. To ease the workload, the cybercriminal will automate the task by using a simple script. To further access the victim's account or device, the attacker wants the victim to click "Yes" and authenticate their identity. After some time of declining, the victim might assume it's a minor application issue or a test, or they can just be annoyed and want the messages to stop; thus, the victim will select ‘Approve’ in an effort to stop the notifications.

Here is an example of a MFA fatigue attack in real time, presented by GoSecure:

Why does it matter?

MFA fatigue attacks are a growing concern, and they are becoming widely popular in the current threat landscape as more cyber criminals, from state-sponsored to novices, utilize the technique in order to gain further access for their own personal motives. A Microsoft study has shown that over 382,000 MFA fatigue attacks took place in 2022.

As long as it continues to be effective, MFA fatigue will be a common tactic used by a number of cybercriminals. Lapsus$, a hacker group that is infamous for extortion schemes and has already targeted firms including NVIDIA, Samsung, and Microsoft, is one group that has made use of MFA fatigue for a number of high- profile attacks. It is unclear whether prompt spam was employed in all of these assaults because businesses do not always share complete information about security problems.

An attacker can use this initial access to compromise further accounts, collect and exfiltrate important organizational data, and possibly even launch ransomware to cause more damage to the organization's operations.

How to Protect Yourself

Of course, as we know, there are no bulletproof ways to protect yourself 100% securely against different cyberattacks. However, we can follow guidelines and best practices, whether it is an individual or an organization, to improve their security posture.

Here are the following ways to enable a better security posture to reduce the likelihood of a MFA fatigue attack:

• FIDO2: As opposed to push notifications, organizations can utilize security keys such as FIDO2. Public-key cryptography is used in FIDO2-compliant authentication to ensure that the login credentials are distinct on each website. Examples of such systems are passwordless authentication and security keys. Basically, the FIDO2 key is physically present with the trusted user on the device in the form of a biometric or security key, making it impossible for an attacker to employ the standard MFA attack methods.


• Phishing-Resistant MFA Requests:It is important to utilize MFA that is resistant to phishing in order to keep users from becoming MFA-fatigued. One such technique, called "Number Matching," adds a new phase to the MFA push notification protocol. The user must input a certain number on the login screen before they can accept the MFA prompt in their application.


• Utilizing a Monitoring Platform: Implement rules to set thresholds in your monitoring software to notify you of and quickly stop any additional excessive MFA prompts. Additionally, make sure you are keeping an eye out for frequent risks and exposures affecting the accounts of your organization, such as Sign-ins from unfamiliar locations, atypical travel, successful authentication from a new country, and so forth.


• Sign-in risk based policy: The Sign-in risk-based policy protects users from registering MFA in risky sessions. If users aren't registered for MFA, their risky sign-ins are blocked, and they see an AADSTS53004 error. You can utilize the sign-in risk-based policy by implementing a conditional access policy while incorporating Azure AD identity protection sign-in risk detections.


• User Education: Organizations must also have a budget for training their staff members to be aware of the current threat landscape. Organizations may lessen the risk of human error and make sure that everyone understands the value of security by training staff members about MFA fatigue and what actions to take if they do become victims of such an attack.


• Strong Passwords: As mentioned previously, obtaining user credentials is a crucial prerequisite for any MFA fatigue attack. To avoid this, make sure users are informed about the risks of password reuse and shown what a good password looks like.

Conclusion

We must take lessons from previous MFA fatigue attacks and ensure that we take good measures for any future events. Most importantly, we should educate ourselves to understand what to do and how to respond to that sort of attack without putting ourselves or the organization we work for at risk.

References

[1] https://explore.avertium.com/resource/mfa-breaches-and-mfa-fatigue

[2] https://www.beyondidentity.com/blog/mfa-fatigue-and-autofill

[3] https://www.okta.com/uk/blog/2022/09/mfa-fatigue-growing-security-concern/

[4] https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications

[5] https://cybersecurity.att.com/blogs/security-essentials/phishing-resistant-mfa-101-what-you-need-to-know