MFA

Iranian Threat Actors Use Password Spraying And MFA Push-Bombing To Hack Organizations In Critical Sectors

Wyatt Cyber Security and Cyber Crime, Data Privacy & Security , , , , , , , , ,

Written by: Kathie McDonald-McClure

On October 16, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”), the Federal Bureau of Investigation (“FBI”) and the National Security Agency (“NSA”) issued a Joint Cybersecurity Advisory warning that threat actors from Iran are using “password spraying” and Multi-Factor Authentication (MFA) “push-bombing” (also called “MFA fatigue”) to gain access to organization networks and web-based applications in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.  

With password spraying, the threat actor creates a list of usernames and then tries to login to each account with a single commonly used password. If the attempt fails, the attacker moves on to a different common password and tries again until they get a hit.  Even with MFA, using a strong password in the first instance can impede a threat actor’s further attempts to gain access via MFA push-bombing.

With MFA push-bombing, the threat actor sends a legitimate user’s smartphone a large number of MFA push-notifications, hoping that the user will click on one to stop the barrage.  Once the threat actor gains access to an account, they frequently register their devices with MFA to enable persistent access to the environment via a valid account.

The use of MFA push-notifications to a smartphone in the absence of a second form of authentication (e.g., entering a code in an Authenticator app) is particularly vulnerable to the use of brute force and credential access.  Does your network or any of your web-based applications rely solely on a push notification to gain access?  Specifically, if access to your network or a web-based application can be gained by a mere click on a link in a SMS or email message, or by answering a call to a mobile device and there is no second method of authentication before permitting access, talk to your IT team or the vendor of the web-based application about strengthening the authentication method. 

Regularly review your password policy to ensure it is up-to-date with best practices. Ensure users in your organization are educated on the password policy.  Also, educate permitted users on the network and web-based applications on the techniques used by threat actors to gain access via weak and reused passwords. Ensure users understand the criticality of denying MFA push-notification requests that they did not generate. 

Talk to your IT team today regarding the Joint Cybersecurity Advisory on the threats to weak passwords and MFA methods. As recommended in the Advisory, implement exercises, tests and validate your organization’s security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in the Advisory (e.g., Modify Authentication Process: MFA and MFA Request Generation).

We regularly work with clients to assist in preparing or updating applicable IT information security policies and procedures. Learn more about Wyatt’s data privacy and cyber security practice by visiting the Wyatt Data Privacy & Cyber Security webpage.

CISA Discourages Use of App-Based, SMS and Voice MFAs and Encourages Phishing-Resistant MFAs

Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security , , , , , , ,

Cyber Threat Actors Are Breaking the Security of Commonly Used MFAs

By: Kathie McDonald-McClure

A best practice in securing sensitive data is to deploy Multi-Factor Authentication (MFA) to prevent access by unauthorized users to internet-connected sources for such data. MFA requires authorized users to present a combination of two or more different authenticators (something you know, you have, or you are) to verify identity prior to access. MFA makes it more difficult for unauthorized users to gain access to servers and applications. For example, if one factor, such as a PIN, becomes compromised, the unauthorized user cannot gain access if they do not have the second factor, such as a mobile token or fingerprint.

Cyber security experts recommend MFA for all internet-facing applications with access to sensitive information. Such applications include remote desktop, Virtual Private Networks (VPNs), email accounts, financial and accounting software, file sharing and document management platforms, CRM, just to name a few.

Demonstrated compromises in commonly used MFAs prompts CISA to issue guidance. On October 31, 2022, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released Guidance on Phishing-Resistant and Numbers Matching Multifactor Authentication. The CISA Guidance includes two Fact Sheets. One Fact Sheet, Implementing Phishing-Resistant MFA, describes the methods cyber threat actors are using to gain access to MFA credentials. These methods include phishing emails and malicious websites, MFA fatigue, exploitation of SS7 protocol vulnerabilities, and SIM swapping. This CISA Fact Sheet identifies App-Based MFA and SMS or Voice MFA as being particularly vulnerable to these methods of stealing MFA credentials.

CISA strongly encourages organizations currently using App-Based, SMS or Voice MFA to migrate to a Phishing-Resistant MFA for as many applications as is feasible. CISA indicates that the currently available Phishing-Resistant MFA options are limited to FIDO/WebAuthn (included in most major browsers) and the PKI-based MFA (smart cards used with SSO technologies). App-Based MFAs verify the identity of users either by generating a one-time password (OTP) or sending a “push” pop-up notification to the mobile application. SMS and Voice MFAs send a code to the user’s phone or email. The user then retrieves this second factor code from their text or email to use for login authentication. CISA says that SMS and Voice MFA should only be used as a last resort.

CISA acknowledges there are several stumbling blocks to the deployment of Phishing-Resistant MFAs. These include the lack of support for it in the organization’s existing systems and products, difficulty in deploying it to all staff members at once, and upper management concerns that users will resist the migration. Nevertheless, CISA recommends that the organization’s IT leadership prioritize the migration to Phishing-Resistant MFA in logical phases focusing on the technologies at highest risk, such as email systems, file servers, and remote access systems, and the users who are high-value targets, such as system administrators, attorneys, HR staff, and others with access to sensitive data.

What if your organization uses mobile push-notification based MFA and migration to Phishing-Resistant MFA is not feasible? CISA recommends using “number matching” in the MFA application to mitigate MFA fatigue. CISA says, “MFA fatigue, also known as ‘push bombing,’ occurs when a cyber threat actor bombards a user with mobile application push notifications until the user either approves the request by accident or out of annoyance with the nonstop notifications.” Refer to the CISA Fact Sheet titled, Implementing Number Matching in MFA Applications, for guidance on how to enable “number matching” on MFA configurations to prevent MFA fatigue.

So why is a lawyer writing this technical piece? We assist clients proactively to prevent security breaches and reactively after a security incident in the preparation or revision of IT data security policies and procedures necessary to meet regulatory, contractual, cyber insurance underwriting, and other third-party expectations. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and security practice, visit Data Privacy and Cyber Security.

If you need additional information, please contact:

Kathie McDonald-McClure

Phone: 502.562.7526

Email: kmcclure@wyattfirm.com