What Is It?
Multi-factor authentication (MFA) prompt bombing is a specific social engineering attack that bombards its victims with countless MFA push notifications. Generally, when people think of social engineering attacks, they think of suspicious emails or unexpected phone calls. However, MFA prompt bombing can be an even more effective strategy to gain access to people’s data, due to the fact it specifically uses social engineering tactics that target the human factor. Below are a few different ways these MFA prompt bombing attacks are carried out:
- Send a large number of MFA prompt requests in hopes the user accepts to stop the distraction or annoyance.
- Send only a small number each day in hopes a user accepts at some point. This method is stealthier and is more likely to fly under the radar as a malicious attack.
- Call the user advising them they need to send an MFA prompt and they need to accept it.
The victim may ignore the first few notifications or calls, but at some point, may click accept to stop the annoyance and get back to what they were focusing on – all while not realizing what they have just done.
More and more authentication portals are adding the ability or requirement to
enable MFA notifications as a secondary form of authentication. The Center for Internet Security (CIS) Control 6 – Access Control Management requires MFA for external facing applications, remote network access, and administrative access. This attack is on the rise and will not be going away any time soon.
Recent Attacks Using This Technique
Back in March, nGuard released a Security Advisory about the Lapsus$ Crime Gang infiltrating Microsoft, Okta, and others. It turns out the group utilized this technique to gain access to these organizations. Lapsus$, in their Telegram channel said, “No limit is placed on the number of calls that can be made. Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”
The image below shows a conversation from their Telegram Channel discussing how they were going to attempt this attack:
Source: TwoSense
The SolarWinds breach that occurred last year that allowed APT29 (Cozy Bear), a group out of Russia, to create backdoors in 18,000 SolarWinds customer’s environments utilized this very same technique.
nGuard’s Experience with MFA Prompt Bombing
nGuard has been using this attack in our social engineering methodology for quite some time. Using these tactics, nGuard has successfully gained access to client’s VPN portals protected by MFA to obtain internal network access numerous times. nGuard has also used this attack to gain access via an organization’s single sign-on (SSO) page, giving us access to many sensitive internal applications. To protect your organization from this attack you can:
- Conduct regular social engineering assessments to reinforce training.
- Train employees to only accept MFA prompts when they are actively authenticating to a service.
- Train employees to never give out MFA SMS codes to anyone.
- Report the unsolicited MFA prompts as fraudulent.
- Create alerts for anomalous events such as:
- Time of access
- Geolocation
- Large number of MFA prompts events
- Draft a policy that states whether and how personal information is to be requested of employees via telephone.
- Conduct employee training to raise awareness of social engineering techniques.
- Train employees to identify and report suspicious requests for personal information.
- Segment employee workstations from higher security zones in the internal network to reduce exposure of critical internal systems to attack from compromised workstations.
If you want to test your users’ likelihood of falling victim to such social engineering attacks, contact your Account Executive or Security Consultant for more information.