Leonardo Hutabarat, Head of Solution Engineering, APJ at LogRhythm, explains how security teams can tackle the emerging threat of MFA fatigue attacks.
As growing numbers of organizations shore up their IT security by deploying multi-factor authentication, the technology is becoming an increasing target for cybercriminals.
No longer able to gain access to IT infrastructures simply by stealing passwords and identity credentials, the criminals now need to overcome the requirement to have additional authentication factors.
To succeed in this aim, cybercriminals are increasingly undertaking so-called ‘MFA fatigue’ attacks. These attacks take advantage of the ‘push prompts’ to mobile devices that are used by many MFA platforms.
Such prompts may involve requests for a user to push a button within an authentication app to prove their identity. Alternatively, they may receive a call asking them to respond by pushing a key on their mobile device.
During 2022, an attacker successfully infiltrated the VPN of Uber. They then sent push notifications as though there were an employee of the company and were able to grant themselves access to the company’s IT systems.
Earlier in the year, an attacker successfully entered the IT infrastructure of Cisco and actually added a new MFA device. This, in turn, allowed the attacker to move laterally across the infrastructure.
There are a range of ways in which an organization’s security team can identify MFA fatigue attacks. One is to analyze log data and find instances where there have been repeated push messages that have been denied by a user. This could indicate the messages were not generated in response to an MFA request but in fact were generated by a cybercriminal after compromising a user’s primary identity credentials.
Attempted attacks can also be identified if the security team notices a series of ‘push denies’ occurring followed by a ‘push allow’ from a user. This could indicate that they had become tired of receiving so many request messages and relented by approving access.
Teams should also constantly monitor for instances of rapid login attempts to their organization’s infrastructure. These attempts may be undertaken using valid credentials while the criminal attempts to obtain another ID factor.
Another example of a potential attack can be a mismatch between the geolocation of a login attempt and a device that is approving MFA request prompts. This could be a sign that it is someone other than the user who is attempting to gain access.
IT security teams have a of options when it comes to mitigating these types of attacks. One of the most important is undertaking regular user training during which the attacks are explained and what users can expect to see.
Users should be informed that they need to report instances of uninitiated MFA request prompts. They must also take care to never accept a request that they have not initiated themselves, regardless of how many times that request is made.
Organizations can also consider deploying physical security keys rather than having staff rely on an app on their mobile device. This makes it even more difficult for criminals to obtain the factors they will require to gain access to an infrastructure.
Another step worth considering is the removal of any ID factors that rely on simple approvals at the click of a button. Alternatives include requiring suers to enter a number that has been generated by their device. This is more secure as that user is the only one able to see the number being used.
By undertaking a program of rigorous monitoring, user education and improved ID methods, organizations can be best placed to avoid falling victim to an MFA fatigue attack. Cybercriminal focus on this technique is likely to continue to increase – so taking the necessary steps as quickly as possible is key.