Skip to content
GOT FIDO2?

Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA

Not all MFA is created equal, as script kiddies and elite hackers have shown recently.

Dan Goodin | 135
Credit: Getty Images
Credit: Getty Images
Story text

Multifactor authentication (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account. Nothing in this article should be construed as saying MFA isn’t anything other than essential.

That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.

Enter MFA prompt bombing

The strongest forms of MFA are based on a framework called FIDO2, which was developed by a consortium of companies balancing the needs of both security and simplicity of use. It gives users the option of using fingerprint readers or cameras built into the devices or dedicated security keys to confirm they are authorized to access an account. FIDO2 forms of MFA are relatively new, so many services for both consumers and large organizations have yet to adopt them.

That’s where older, weaker forms of MFA come in. They include one-time passwords sent through SMS or generated by mobile apps like Google Authenticator or push prompts sent to a mobile device. When someone is logging in with a valid password, they also must either enter the one-time password into a field on the sign-in screen or push a button displayed on the screen of their phone.

It’s this last form of authentication that recent reports say is being bypassed. One group using this technique, according to security firm Mandiant, is Cozy Bear, a band of elite hackers working for Russia’s Foreign Intelligence Service. The group also goes under the names Nobelium, APT29, and the Dukes.

“Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor,” Mandiant researchers wrote. “The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account.”

Lapsus$, a hacking gang that has breached Microsoft, Okta, and Nvidia in recent months, has also used the technique.

“No limit is placed on the amount of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

The Lapsus$ member claimed that the MFA prompt-bombing technique was effective against Microsoft, which earlier this week said the hacking group was able to access the laptop of one of its employees.

“Even Microsoft!” the person wrote. “Able to login to an employee’s Microsoft VPN from Germany and USA at the same time and they didn’t even seem to notice. Also was able to re-enroll MFA twice.”

Mike Grover, a seller of red-team hacking tools for security professionals and a red-team consultant who goes by the Twitter handle _MG_, told Ars the technique is “fundamentally a single method that takes many forms: tricking the user to acknowledge an MFA request. ‘MFA Bombing’ has quickly become a descriptor, but this misses the more stealthy methods.”

Methods include:

  • Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop.
  • Sending one or two prompts per day. This method often attracts less attention, but “there is still a good chance the target will accept the MFA request.”
  • Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process.

“Those are just a few examples,” Grover said, but it’s important to know that mass bombing is NOT the only form this takes.”

In a Twitter thread, he wrote, “Red teams have been playing with variants on this for years. It’s helped companies fortunate enough to have a red team. But real world attackers are advancing on this faster than the collective posture of most companies has been improving.”

Other researchers were quick to point out that the MFA prompt technique is not new.

“Lapsus$ did not invent 'MFA prompt bombing,'” Greg Linares, a red-team professional, tweeted. “Please stop crediting them… as creating it. This attack vector has been a thing used in real world attacks 2 years before lapsus was a thing.”

Good boy, FIDO

As noted earlier, FIDO2 forms of MFA aren’t susceptible to the technique, as they’re tied to the physical machine someone is using when logging in to a site. In other words, the authentication must be performed on the device that is logging in. It can’t happen on one device to give access to a different device.

But that doesn’t mean organizations that use FIDO2-compliant MFA can’t be susceptible to prompt bombing. It’s inevitable that a certain percentage of people enrolled in these forms of MFA will lose their key, drop their iPhone in the toilet, or break the fingerprint reader on their laptop.

Organizations must have contingencies in place to deal with these unavoidable events. Many will fall back to more vulnerable forms of MFA in the event that an employee loses the key or device required to send the additional factor. In other cases, the hacker can trick an IT administrator into resetting the MFA and enrolling a new device. In still other cases, FIDO2-compliant MFA is merely one option, but less secure forms are still permitted.

“Reset/backup mechanisms are always very juicy for attackers,” Grover said.

In other cases, companies that use FIDO2-compliant MFA rely on third parties to manage their network or perform other essential functions. If the third-party employees can access the company’s network with weaker forms of MFA, that largely defeats the benefit of the stronger forms.

Even when companies use FIDO2-based MFA everywhere, Nobelium has been able to defeat the protection. That bypass, however, was possible only after the hackers completely compromised a target's Active Directory, the heavily fortified database tool that network admins use to create, delete, or modify user accounts and assign them privileges to access authorized resources. That bypass is beyond the scope of this post because once an AD is hacked, it's pretty much game over.

Again, any form of MFA is better than no use of MFA. If SMS-delivered one-time passwords are all that’s available—as fallible and distasteful as they may be—the system is still infinitely better than having no MFA. Nothing in this post is intended to say that MFA isn’t worth the hassle.

But it’s clear that MFA on its own is not enough, and it hardly constitutes a box that organizations can check and be done with it. When Cozy Bear found these loopholes, no one was especially surprised, given the group’s infinite resources and top-notch tradecraft. Now that teenagers are using the same techniques to breach companies as powerful as Nvidia, Okta, and Microsoft, people are beginning to recognize the importance of using MFA correctly.

“While it may be tempting to dismiss LAPSUS$ as an immature and fame-seeking group,” reporter Brian Krebs of KrebsOnSecurity wrote last week, “their tactics should make anyone in charge of corporate security sit up and take notice.”

MFA prompt bombing may not be new, but it’s no longer something that companies can ignore.

Listing image: Getty Images

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Contact him on Signal at DanArs.82.
135 Comments