Multi-factor authentication (MFA) was designed to enhance identity security by requiring a second factor for login. However, cyber attackers have found a way around this by manipulating users into providing the second factor themselves, rather than stealing it.
Organizations using push-based MFA are particularly vulnerable to this type of attack. Tools like Specops Secure Access are specifically created to address this issue. To understand how this attack works and how to prevent it, it’s important to delve deeper into the technique.
Understanding MFA prompt bombing
This attack relies on three main components:
- Stolen account credentials, often obtained from leaked password databases
- A login portal using push-based MFA (e.g., VPN, Microsoft 365, Okta)
- A targeted user who receives alerts for each login attempt
Attackers repeatedly send MFA prompts to the user, aiming to deceive or pressure them into approving the request. In some cases, attackers may combine prompt bombing with social engineering tactics, such as vishing calls posing as IT support. The success of these methods hinges on a single approval.
If the prompt is accepted, the attacker gains access to the user’s account without raising suspicion from security systems, as the login appears legitimate.
The Cisco breach
The 2022 Cisco breach serves as a prime example of the effectiveness of prompt bombing against even well-established security measures. In this incident, an attacker associated with the Yanluowang ransomware group compromised a Cisco employee’s personal Google account, which stored the employee’s Cisco VPN password.
The attacker then sent MFA prompts to the employee’s device. When this tactic failed, they resorted to vishing calls impersonating trusted entities, eventually convincing the employee to approve a push notification.
Once granted access, the attacker infiltrated the VPN, escalated privileges, accessed critical servers, and exfiltrated sensitive data before being detected. The success of prompt bombing against a robust organization like Cisco underscores the threat posed by this attack method.
The limitations of push MFA
The flaw in push-based MFA lies in the user’s limited information when approving a login request. Without clear details on the origin or device, users may struggle to differentiate legitimate requests from fraudulent ones. This ambiguity, coupled with repeated prompts, can lead users to dismiss suspicious activity as technical glitches rather than potential attacks.
When combined with a well-timed vishing call, users may unknowingly comply with malicious requests, assuming they are following standard procedures. This scenario exploits existing credentials in the attacker’s possession.
Preventing prompt bombing
1. Implement fatigue and phishing-resistant MFA methods
Replace push notifications with more secure MFA factors like FIDO2 security keys or hardware tokens to mitigate phishing risks. Specops Secure Access offers fatigue-resistant options for various access points, enhancing security.
2. Block compromised passwords preemptively
Scan Active Directory for compromised passwords regularly and enforce password resets to thwart prompt bombing attacks. Specops Password Auditor can help identify vulnerabilities in your AD environment.
3. Introduce contextual risk assessments
Utilize conditional access policies that consider factors like location, device status, and login patterns to preemptively block suspicious logins. This approach reduces reliance on user judgment and enhances real-time threat detection.
Conclusion
MFA prompt bombing underscores the importance of evolving security measures to combat evolving threats. While MFA remains crucial, it’s essential to enhance it with robust, phishing-resistant methods and proactive password hygiene practices. Organizations can strengthen their security posture by adopting advanced MFA solutions like Specops Secure Access. For expert guidance on enhancing identity security, consult with Specops.
