The Arctic Wolf Labs team has observed recent cyber breaches at large organizations and identified a similar TTP used across each for initial access in the form of Multi-factor Authentication (MFA) Fatigue or “prompt bombing.”
What is MFA Fatigue?
MFA fatigue refers to the overload of prompts or notifications the victim would receive via MFA applications. This technique only works if the threat actor already has the credentials of a targeted account from a previous compromise such as phishing, credential replay, brute forcing, or password spraying.
Threat actors will then use MFA fatigue to compromise the account even when the account being targeted has additional layers of security such as multi-factor authentication.
Once the threat actor has a victim’s credentials, they start requesting approval for sign-in from the victim’s MFA application. The goal for the threat actor here is to repeatedly spam push notifications to the target’s phone requesting sign-in approval in the hopes that the target might believe there’s an issue with the MFA application and eventually approve a request to make the notifications stop. Once this happens, the threat actor gets access to everything the MFA application protects.
Arctic Wolf has seen this TTP being used as part of the initial access component in recent major breach events such as Uber in September, and Cisco in August of this year. Multi-factor authentication is a strong preventative measure for credential re-use, however, if your users are not diligent and looking out for the typical MFA fatigue characteristics any organization may be susceptible to this attack.
Recommendations for MFA Fatigue
When it comes to preventing MFA Fatigue attacks, the most important thing is awareness and knowledge. If your users are aware that these types of attacks exist, they may be less likely to become a victim of them.
Recommendation #1: MFA Fatigue Notifications to Be Aware Of
If you receive any MFA request push notifications with the following characteristics:
- Unexpected MFA request push notifications.
- From an unfamiliar location (ie. If the request is coming in from a country or city different from the one, you’re currently in. If you’re using a VPN, be mindful of the location of where your VPN is routing you out of).
- Receiving a call, email or message from someone claiming to be from your IT team performing an MFA test and asking you to accept the MFA request notifications that you’re receiving.
- A rapid-fire sequence of MFA request notifications.
Recommendation #2: Limit MFA Request Push Notifications
Limit the number of MFA request push notifications allowed within a certain timeframe if your MFA provider allows for this. This will help prevent MFA fatigue and prompt bombing.
Recommendation #3: Disable MFA Request Push Notifications
Push notification requests are designed for minimal user friction, allowing a user to quickly click “yes/allow” on a request making this attack technique possible. Most MFA providers will allow you to disable push notification requests as a verification method and use a challenge & response or time-based one-time password verification method instead for increased security.
Recommendation #4: Explore Implementing WebAuthn for MFA
For the current highest level of MFA security, we recommend implementing WebAuthn in your environment if your applications and devices are compatible. Check with your authentication provider for details on how to configure WebAuthn for your environment.