What Are MFA Fatigue Attacks?

What are MFA fatigue attacks, and what can your organization be doing to safeguard against them?

Preventing initial access to your network is critical when it comes to preventing a successful cyberattack. After that, a defense in depth approach helps mitigate the risk of lateral movement and increase detection rates in the case that perimeter defenses are compromised. On top of that, penetrating testing employs specialized professionals who are adept at understanding adversarial tradecraft and simulating cyber attacks to validate an organization's security posture.

MITRE ATT&CK tactics and techniques serve as a good checklist of attack strategies that are used by real world attackers, and are useful for evaluating an organization's defensive cyber security capabilities. Organization's can verify the effectiveness of their security controls for protecting against all the possible forms of cyber attacks.

The MITRE ATT&CK tactic of gaining initial access [TA0001] has many sub-techniques but one of the most commonly used by attackers is using valid accounts [T1078] to breach an organization's perimeter defenses. We have covered several of the sub-techniques used to compromise valid accounts previously on this blog, such as rogue access points, password spraying, credential stuffing, sim-swapping, weak passwords, phishing, pharming, and more. 

Many companies have begun to demand the use of multi-factor authentication (MFA) for critical accounts to ensure that a user is verified by "something they possess" - typically through an authenticator app on their mobile device, or through hardware security tokens. In this article, we will delve into an evolving attack technique used to gain initial access known as MFA fatigue attack [T1621]. While other attacks have successfully circumvented MFA such as a method to bypass MFA using Microsoft WebView2 apps, MFA fatigue attacks are a pervasive threat themselves and require special measures to mitigate.

What Are MFA Fatigue Attacks?

There is no shortage of social engineering attacks designed to steal usernames and passwords. We should expect that new social engineering attacks would pop up to target MFA. MFA fatigue attacks (also known as MFA Exhaustion, MFA Bombing or MFA Spamming) are one of such attacks that have spawned from attackers seeking to circumvent MFA after they are already in possession of a stolen username and password.

An MFA fatigue attack overwhelms targets with repeated MFA verification requests hoping that they will eventually click a legitimate button to authorize the request. Another technique used by attackers is to redirect the user to a spoofed website where they enter a valid MFA one-time-passcode giving the attacker unauthorized access to the user's account. The MFA fatigue tactic can be used during an attack campaign to gain initial access or at a later stage when attackers seek to pivot laterally [TA0008] through a network.

By inundating the victim's email, phone, or registered devices with prompts to coerce them into confirming an authentication attempt, unwittingly granting access to the attacker. In an MFA fatigue attack, the attacker leverages the victim's familiarity with receiving authentication notifications and may induce emotions such as fear, confusion, urgency, or simply fatigue. When faced with continuous notifications from a trusted or seemingly trusted system, individuals may eventually click on the link, assuming it to be a legitimate request.

Not All MFA Implementations Are Equal

Another important factor in MFA exhaustion attacks is that not all MFA implementations work the same way. Some, typically those generated from within the app being logged into, only require the user to click on a button or link in an SMS message or email, or a system notification pop-up to validate the login attempt.  These interactive notifications serve as the second-factor authentication, theoretically streamlining the authentication process with a single tap on the device screen.

The simplicity and prevalence of push-notification-based authentication have contributed to the rise in popularity of MFA fatigue attacks among cybercriminal groups. Notable instances include the September 2022 Uber breach orchestrated by the Lapsus$ hacking group and more recent incidents involving the Midnight Blizzard threat actor group targeting service desks and other accounts.

On the other hand, using an MFA authenticator that uses time sensitive one-time-passcodes (OTP) that is separate from the app being logged into, is more secure because they place an additional burden on the attacker to also redirect the victim to a spoofed website, collect the MFA token, and enter it into their own login session before it expires.

How to Mitigate The Risk Of MFA Fatigue Attacks

Of course, once you have enabled MFA on a sensitive account to protect against stolen credentials, you also need to remember that MFA one-time-passcodes (OTP) should never be shared with anyone.

By adopting a multifaceted approach that combines technological solutions, user education, and proactive security measures, organizations can effectively mitigate the risk of MFA fatigue attacks and enhance overall cybersecurity resilience.

1. Use Time Sensitive OTP-Based MFA: Implementing one-time password (OTP) based MFA adds an additional layer of security against attackers attempting to exploit MFA fatigue. Instead of relying on "Is this you?" prompts, OTPs are generated on separate authenticator apps and require the user to enter them manually into the app at login time.  This adds an additional burden on the attacker to also convince the victim into transferring a valid OTP to a spoofed website. Also, time-based one-time passwords (TOTPs) are only valid for a short period of time preventing them from being reused once they expire.

2. Use Robust Authentication Solutions: Deploy authentication solutions such as biometric authentication, context-aware authentication, and adaptive authentication. Adopting a zero-trust architecture ensures that every user and device attempting to access resources within the network is rigorously authenticated and authorized, regardless of their location or network environment. By continuously verifying identities and monitoring access, zero-trust mitigates the impact of MFA fatigue attacks.

3. Utilize Conditional Access Controls: Tools like Azure Active Directory can enforce conditional access policies, restricting system access to approved devices, locations, or login methods. They can also notice repeated attempts to gain access to an account and deny access when attempts breach a defined login attempt rate limit.

4. Conduct Continuous User Education: Enhancing user awareness through comprehensive cybersecurity training about the risks posed by these attacks  will make users more skeptical and reduce the chances of falling prey to such attacks.

5. Enforce Password Strength And Complexity: Promoting good password hygiene practices can reduce the chances that attackers can gain access to valid credentials. Demanding strong, unique passwords, preventing password reuse, and regularly forcing password changes can reduce the risk of compromised accounts.

6. Use Least Privilege Access: Adopt the principle of least privilege (POLP) to limit user access to only the resources necessary for their tasks. By restricting access rights based on specific roles and responsibilities, organizations can minimize the potential impact of unauthorized access.

7. Leverage AI and Machine Learning: Harness the power of artificial intelligence (AI) and machine learning to bolster threat detection capabilities. These advanced technologies can identify anomalous user behavior patterns indicative of MFA bombing, enabling proactive intervention to mitigate potential risks.

Conclusion

MFA fatigue attacks represent a significant cybersecurity threat, exploiting vulnerabilities in MFA implementations and human behavior. By adopting proactive security measures, including robust security controls and MFA solutions, user education, and AI-driven threat detection, organizations can effectively mitigate the risk of MFA fatigue attacks and enhance overall cybersecurity resilience.

Looking for more deep-dives on topics related to MFA fatigue attacks and cybersecurity news? Sign up for our informational zero-spam newsletter.