Recent cyber breaches of large high value targets has alarmed security experts with Arctic Wolf Labs.  The team has observed recent cyber intuitions utilizing a technique known as Multi-factor Authentication (MFA) Fatigue or “prompt bombing”.

For this type of attach to work, the victim’s credentials are ideally already compromised.

This is typically done through other techniques such as phishing attacks, password spraying, brute force attacks, or from another leaked or compromised source.

Once the hacker has your credentials, they begin sending constant approval requests for sign-in from the victim’s MFA application.  The constant stream of notifications can make it seem like there may be a problem with their sign-in or MFA settings, and the hacker waits hoping the victim will approve the request.  Once the victim approves the request, the hacker gains access to the targets account.

This type of method has been used to gain initial access to high profile targets in major breach occurrences such as an attach targeting Uber in September, and another attack which targeted Cisco in August 2022.  It is increasingly important that you and your users be aware of such attacks, and to be diligent about their passwords and be aware of MFA fatigue factors they may notice.

Preventing MFA Attacks from Succeeding

Multi-factor Authentication is a strong measure of securely accessing your accounts and preventing easy access from outside threat actors.  Security is a responsibility we all must take seriously, and MFA is only one tool that should be used in combination with other measures to create a complete security environment.

You should be aware if you receive MFA push notifications with the following characteristics:

  1. Unexpected MFA request push notifications.
  2. Notifications from an unfamiliar location ( if the request is coning from a country or city that is outside the US)
  3. Receiving a call, email or message from someone claiming to be from your IT team performing an MFA test and asking to accept the MFA request you received.
  4. A rapid-fire sequence of MFA request notifications.

When you receive MFA notifications, your first instinct should be to understand where it came from.  If you are not expecting to receive an MFA login request, you should ignore it, and work with your IT if you continue to get unfamiliar MFA requests.

Some MFA providers and accounts allow you to limit the number of MFA notifications you receive.  If you can limit the MFA notifications to 10 or less for every 24 hour period, this can help stop MFA fatigue attacks.

It may also be a good idea to simply disable the MFA push notification requests.  The most secure method of using MFA for login is to access the app and enter a code which is automatically changed on short time interval.  Using MFA which sends a code to your phone or uses a push notification is less secure and susceptible to attack.

Natural Networks is a Managed Services Company who specializes in IT security and prevention for organizations nationwide.  Natural Networks can be your partner for all things IT security, and you can take advantage of integral cyber security for your network through a combination of training, hardware, and preventative hacking measures.

If you want to learn more about how Natural Networks can work with your organization to secure your IT, and help with all things IT give us a call today!