“MFA fatigue” is striking offices around the world; just ask leading tech firm Cisco. After a barrage of voice phishing attempts and fraudulent push notifications, an employee fell victim to an attack by accepting just one of these bogus notifications causing a network breach that led to an extortion attempt on the company.
The MFA fatigue phenomenon stems from environments in which employees get continual notifications to verify a login, to the point that they start accepting these requests just to clear them and end the distraction. While MFA is meant to enhance security and provide a backup layer when account credentials are compromised, attackers have figured out how to leverage it as another network breach tool.
Cisco network breach traced back to employee pummelled by voice phishing, push request attempts
Given that many organizations are still grappling with implementation of mandatory MFA measures, it is likely that employees are not yet receiving adequate security awareness training on how attackers can abuse these systems. An organization can’t have MFA fatigue if most of it isn’t using MFA!
In addition to a general lack of staff training, IT departments may also not be set up to regard this as a potential threat. For example, they may not have device controls tightened up to preclude the possibility, or may not have a response procedure in place for employees that notice suspicious requests and want to get ahold of someone in security to warn them.
And though it should be common knowledge by now that major tech companies such as Google and Apple should not be expected to reach out to individual users by phone, the fact that this sort of voice phishing is on the rise indicates that there is still an awareness gap in this area. It is also being put to use creatively by state-sponsored threat groups in network breaches; a recent campaign by North Korea’s Lazarus hacking group included fake job offers from tech firms that could be accompanied by bogus phone calls.
While voice phishing is a sophisticated threat often undertaken by well-funded attackers, leveraging MFA fatigue is simple and can be done by nearly anyone. All it takes is pestering the target with requests until they relent. It’s basic but effective, and state-sponsored hackers have been observed using this approach as well (Russia’s groups seem particularly fond of it).
Recognizing (and dealing with) MFA fatigue
The Cisco network breach has been attributed to the Yanluowang ransomware gang, but the company was fortunate in that ransomware was never actually deployed. For whatever reason, most likely containment and failure to adequately move deep enough into the network, the attacker settled for taking screenshots of compromised files and emailing company executives with extortion threats before they were entirely removed from the environment.
The attacker got in by way of internal network credentials that an employee had synced with Google Chrome, first engaging in voice phishing by pretending to be calling from a number of different tech companies to gain access to the Google account. Despite this warning of fishy activity, the employee eventually fell prey to MFA fatigue as the attacker bombarded them with push requests to authorize a login.
Cisco says that the attacker remained prowling around the perimeter for weeks after the network breach, trying to guess weak employee passwords and registering lookalike domain names for what is assumed to be a planned phishing campaign (which did not seem to materialize).
Given that employees will always be vulnerable to some sort of mistake, whether a phishing email coming from a legitimate-looking domain or a case of MFA fatigue in accepting a malicious request, the time is right to consider a shift in focus to recovery capabilities, encryption of all data in transit and automated password rotation among other potential measures that assume employee error is inevitable.