Social engineering is a common technique used by threat actors to gain access to corporate credentials and breach an organization’s network. To combat this, organizations have increasingly adopted multi-factor authentication to prevent users from logging in without an additional form of verification. As a result, threat actors have started counteracting this technical control with a technique known as MFA Fatigue.
When an organization’s MFA configuration includes push notifications, a prompt will be displayed on the user’s mobile device when an attempt to log in with their credentials is made. This prompt will contain an approve or deny button; if the approve button is pushed, the MFA verification is successful, and the user’s account is logged in. MFA Fatigue occurs when a threat actor runs a script to continually log in with the stolen credentials, thus causing an endless amount of push notifications to be sent to the user’s device. The goal of this technique is to continually harass the user with MFA notifications until the user becomes fatigued enough to click approve. In some cases, the threat actor will also call the user pretending to be IT Support for the organization in order to convince them to approve the MFA prompt. Once the user approves the prompt, the threat actor gains access to the organization’s network.
This social engineering technique has been proven to be very effective in breaching large and well-known organizations by threat actor groups such as Lapsus$. Due to this, it is likely that other threat actor groups will employ this technique as an effective method for bypassing MFA in a target organization.
Analyst Notes
It is highly recommended for users experiencing an MFA Fatigue attack to not panic and approve any unknown MFA requests. Instead, it is recommended to contact the IT department to let them know what is occurring. Changing the account’s password is highly recommended as well, as this will stop the MFA prompts from occurring, since valid credentials must be used by threat actor to attempt to log in.
For organizations, it is highly recommended to disable simple approve/deny push notifications for something more secure instead. A number of MFA providers support a technique known as number matching, which is a feature that displays a number on the login page that must be entered into the MFA prompt to be successful. This removes the simple approve button and forces both sides of the verification, the login and the user’s device, to require extended user input in order to be successful. Another recommendation is to limit the number of MFA authentication requests per user and alert administrators when that threshold is exceeded. This technique can also be used to automatically lock the user’s account, immediately preventing the threat actor from being able to gain access to it. This step will help alert an organization to a potential compromised account, allowing them to respond and prevent any further damage. Finally, where possible, organizations can move to hardware security keys to secure logins and help prevent these types of credential thefts. Not all services may be compatible with hardware security keys, however, so each organization needs to review what third-party services they use to determine if this would be possible or not.
https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/
