Multifactor Authentication (MFA) is a fundamental element of any robust cybersecurity provision, and is used by more than 55% of enterprises. However, cybercriminals are always coming up with new ways to attack targets, by any means necessary, and have set their sights on breaking through MFA. This blog will cover MFA push bombing.
What is MFA?
Multifactor Authentication (MFA) adds additional layers of verification to login attempts in addition to a password. MFA requires an individual to verify their identity in two or more ways before they can access resources like online accounts or a company VPN. Typically, MFA uses something you know (like a password or PIN), something you have (like a smartphone) or something you are (biometric data like fingerprints, facial or voice recognition).
MFA is an easy and effective way to improve your security. By adding another layer of verification you reduce the risk of attackers gaining access via weak or reused passwords, which can be traced back to 63% of data breaches.
What is MFA prompt or push bombing?
MFA prompt or push bombing, otherwise known as MFA fatigue and MFA spamming is a method of social engineering attack where hackers send verification prompts to users until they approve the request. While that might sound like a simple enough method of infiltration to avoid, it’s proving to be effective against some large organisations.
LAPSUS$, a cybercrime group specializing in deploying ransomware against large companies in the UK and internationally, have successfully hacked major companies like Nvidia and Okta this year alone. According to this report, a member of the group described how effective MFA bombing can be on their official social media channel “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device”.
Once the group infiltrated Nvidia’s network, they deployed ransomware to steal up to 1 terabyte of data. Then, the group threatened to release the data unless their demands were met.
What are the methods of MFA push bombing?
MFA push bombing is a social engineering attack, meaning it takes advantage of the user’s behaviour in order to gain access. It’s not just bombarding users with notifications; it also involves less conspicuous methods to gain verification.
While waking someone up with notifications in the middle of the night might work for some, for others, an inconspicuous notification or two might be enough for a user to verify the request without raising alarm. Another method might be impersonating the company’s security or IT team and claiming the request is part of planned works or maintenance.
What’s the risk of MFA push bombing?
MFA push bombing is just one method attackers can use to get access to your systems. From there they can pursue their aims whether it’s to hold your data for ransom, collect and leak data or any number of other malicious activities. The cost of a breach spans financial, reputational and commercial damage. For example, the average cost of a ransomware breach for detecting and securing the breach and lost business is $4.62 million, and that doesn’t include the cost of the ransom itself which can be vast sums. In May 2021 it was reported that CNA Financial, one of the USA’s largest insurance companies, paid an astonishing $40 million to recover their data after a ransomware attack.
How can you protect yourself from a MFA push bombing attack?
Cyberattacks happen more often than you’d think. MFA push bombing, fatigue or spamming is just one way attackers can use to gain access. According to the Federation of Small Businesses (FSB) there are approximately 10,000 attacks per day on just small businesses in the UK alone.
The best way to defend against this type of attack and other vulnerabilities is by implementing an end-to-end security solution with 24x7x365 protection and response. Cybercriminals will take advantage of any vulnerability they can find, including working out of hours in the hopes of catching targets off guard.
In addition to this, user training is vital to ensure your team don’t accidentally open the door to attack. As mentioned earlier, social engineering attacks rely on the vulnerabilities of users, like clicking on malicious links or phishing attacks. To overcome this risk factor, your security provision should include consistent user education and a Zero Trust mindset.
How we defend you against MFA push bombing, fatigue and spamming
Our 24x7x365 fully Managed Security Service offers the best in cybersecurity protection. Traditional reactive security methods fail to protect your data and only respond once it’s too late and the damage is done.
Our security experts take a proactive approach, hunting out vulnerabilities and safeguarding your data from potential risk. We continuously enhance your security posture, so your environment remains resilient against new and established tactics. Informed by the latest threat intelligence, our experts stay steps ahead of highly motivated cybercriminals.
With expert support and defence around the clock, your environment is never left vulnerable to attack and we’re always on hand if you need us. Plus, we offer end-user training so every member of your team is a part of maintaining your security.
Some of the ways we keep you protected against MFA attacks include:
- Requiring MFA code generation and input or MFA number matching
- Azure AD Identity Protection and risk-based conditional access
- Zero-Trust (Assume Breach)
- UEBA (User and Entity Behaviour Analytics) uses algorithms and machine learning to monitor for abnormalities in user behaviour.
Take the next step to secure your environment
We have the experts and the industry experience to defend your environment and protect you from MFA attacks. Get in touch for a free Threat and Vulnerability Assessment to understand your current security posture, potential vulnerabilities and what services would be best for you. We’ll work to understand your priorities and challenges and partner with you to find the solutions that are right for you.