HomeGeneral NewsA Sinister Way To Beat Multifactor Authentication Is On The Rise

A Sinister Way To Beat Multifactor Authentication Is On The Rise

One of the best ways to avoid account takeovers is to use multifactor authentication (MFA). When a person attempts to access an account through MFA, they are required to utilize an extra factor, such as a fingerprint, physical security key, or one-time password, to verify their identity. In no way can anything in this text be taken to imply that MFA is anything other than vital.

A Sinister Way To Beat Multifactor Authentication Is On The Rise

MFA is a complicated topic, however recent incidents suggest that lesser variants of MFA can be easily cracked by some hackers. Expert Russian-state threat actors, like Cozy Bear, the organization that infiltrated SolarWinds, have also been able to get past security measures in recent months, such as Lapsus$, the data extortion syndicate.

Enter MFA Prompt Bombing

FIDO2 is a framework developed by a group of firms to balance security with ease-of-use in multi-factor authentication (MFA). Users can verify their authorization to access an account by utilizing fingerprint readers, cameras embedded into their devices, or specific security keys. For consumers and large businesses alike, FIDO2 variants of MFA are still relatively new, hence they haven’t yet been adopted.

Here, the weaker MFA programs come into play. One-time passwords transmitted through SMS or produced by mobile apps like Google Authenticator or push notifications delivered to a mobile device are among them. One-time passwords (OTPs) must be entered manually or by pressing a button on the sign-in screen of a mobile phone in order to sign in successfully.

Recent allegations claim that this last type of authentication is being abused. The Russian Foreign Intelligence Service’s top hacking cell, Cozy Bear, is said to be employing this tactic, according to security firm Mandiant. Besides Nobelium, APT29 and the Dukes, the organization also goes by these other names:

As a second factor, many MFA providers allow customers to accept a phone app push notification or get a phone call and hit the key,” Mandiant researchers said. To exploit this, the [Nobelium] threat actor submitted several MFA requests to the end user’s genuine device until the user agreed to authenticate, allowing the threat actor to finally seize control of the account,” he said.

Trending: Biden Administration Expected to End Title 42

When Lapsus$ hacker team infiltrated Microsoft, Okta and Nvidia in recent months they employed this approach.

“There is no limit to the number of calls that may be made,” a member of Lapsus$ said on the official Telegram channel of the organization. To get the employee to agree to anything, make 100 calls to him at 1 in the morning when he is attempting to sleep. The MFA enrollment site may be accessed when the employee accepts the initial call.”

He claimed that his MFA prompt-bombing approach was successful in gaining access to a computer belonging to a Microsoft employee earlier this week.

Someone wrote “Even Microsoft!” in response. An employee’s Microsoft VPN could be accessed simultaneously from Germany and the United States, and the employee didn’t appear to notice.” Re-enrolled in MFA twice and had no problems.

The approach is “fundamentally a single method that takes multiple forms: fooling the user to confirm an MFA request,” Mike Grover, a supplier of red-team hacking tools for security professionals and a red-team consultant, tells Ars. The term “MFA Bombing” has rapidly become a catchphrase, however this leaves out on the more covert techniques.”

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Recent Posts

A Sinister Way To Beat Multifactor Authentication Is On The Rise

One of the best ways to avoid account takeovers is to use multifactor authentication (MFA). When a person attempts to access an account through MFA, they are required to utilize an extra factor, such as a fingerprint, physical security key, or one-time password, to verify their identity. In no way can anything in this text be taken to imply that MFA is anything other than vital.

A Sinister Way To Beat Multifactor Authentication Is On The Rise

MFA is a complicated topic, however recent incidents suggest that lesser variants of MFA can be easily cracked by some hackers. Expert Russian-state threat actors, like Cozy Bear, the organization that infiltrated SolarWinds, have also been able to get past security measures in recent months, such as Lapsus$, the data extortion syndicate.

Enter MFA Prompt Bombing

FIDO2 is a framework developed by a group of firms to balance security with ease-of-use in multi-factor authentication (MFA). Users can verify their authorization to access an account by utilizing fingerprint readers, cameras embedded into their devices, or specific security keys. For consumers and large businesses alike, FIDO2 variants of MFA are still relatively new, hence they haven’t yet been adopted.

Here, the weaker MFA programs come into play. One-time passwords transmitted through SMS or produced by mobile apps like Google Authenticator or push notifications delivered to a mobile device are among them. One-time passwords (OTPs) must be entered manually or by pressing a button on the sign-in screen of a mobile phone in order to sign in successfully.

Recent allegations claim that this last type of authentication is being abused. The Russian Foreign Intelligence Service’s top hacking cell, Cozy Bear, is said to be employing this tactic, according to security firm Mandiant. Besides Nobelium, APT29 and the Dukes, the organization also goes by these other names:

As a second factor, many MFA providers allow customers to accept a phone app push notification or get a phone call and hit the key,” Mandiant researchers said. To exploit this, the [Nobelium] threat actor submitted several MFA requests to the end user’s genuine device until the user agreed to authenticate, allowing the threat actor to finally seize control of the account,” he said.

Trending: Biden Administration Expected to End Title 42

When Lapsus$ hacker team infiltrated Microsoft, Okta and Nvidia in recent months they employed this approach.

“There is no limit to the number of calls that may be made,” a member of Lapsus$ said on the official Telegram channel of the organization. To get the employee to agree to anything, make 100 calls to him at 1 in the morning when he is attempting to sleep. The MFA enrollment site may be accessed when the employee accepts the initial call.”

He claimed that his MFA prompt-bombing approach was successful in gaining access to a computer belonging to a Microsoft employee earlier this week.

Someone wrote “Even Microsoft!” in response. An employee’s Microsoft VPN could be accessed simultaneously from Germany and the United States, and the employee didn’t appear to notice.” Re-enrolled in MFA twice and had no problems.

The approach is “fundamentally a single method that takes multiple forms: fooling the user to confirm an MFA request,” Mike Grover, a supplier of red-team hacking tools for security professionals and a red-team consultant, tells Ars. The term “MFA Bombing” has rapidly become a catchphrase, however this leaves out on the more covert techniques.”

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Recent Posts