What does Lapsus$ have in common with some of the world’s most infamous advanced persistent threats? They both have used a rather hilarious tactic dubbed MFA prompt bombing. Essentially the goal is to send an overwhelming amount of MFA attempts to the victim’s phone hoping that the victim will grant access to make the requests stop, ultimately annoying their victims into compromise.
MFA: A Brief Overview
Multifactor authentication, or MFA, is an integral part of multiple organizations’ cyber defense posture, specifically preventing account takeovers. The “factors” in multifactor is referring to ways one can authenticate themselves. According to NIST SP 800-63-3 section 4.3.1(https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf) , there are three broad methods of authenticating to a service/system. The first being “something you know”, this is most commonly expressed as a username and password, but can also be used in account recovery, such as “What was your first pet’s name?” or “what was the make and model of your first car?”.
Another way to authenticate yourself is by presenting something you have (or being uniquely identified by something you have). If you’ve ever worked for the federal government, you’ve used this method of authentication to gain access to a base/building with an ID card. Other common examples are an RSA token, a Common Access Card (CAC), phones, etc.
Lastly is, authenticating by presenting “something you are”, which sounds odd but makes sense. This method of communication is highly accurate, but usually costly and/or inefficient. Some examples of this are; your fingerprints, retina, your voice pattern, facial recognition, and your handwriting patterns.
Multifactor authentication simply means using two or more of these methods in a single authentication. The most common example of this is something you know (username and password) and something you have (push notification on your phone or text to your phone number).
CozyBear and LAPSUS$
According to the cyber security firm Mandiant, formally known as Mandiant Fireeye, they have seen Russian APT 29, also known as Cozy Bear, Nobelium (by Microsoft), and the Dukes utilizing MFA prompt bombing. APT 29 is a sophisticated nation sponsored actor believed to be associated with one or more Russian intelligence Agencies. The AIVD (Dutch General Intelligence Agency) has used CCTV footage to conclude that APT 29 is led by the Russian Foreign Intelligence Service (SVR), however the cybersecurity firm Crowdstrike has previously been associated with the Federal Security Service or FSB.
Multifactor authentication purveyors often allow for a push notification or a phone call where you press a key to be granted access. This was exploited by both the Russian nation state actors as well the cybercrime group LAPSUS$. One can see how an employee without proper security training or leveraging a shared account may become increasingly annoyed and approve the MFA prompts granting the attackers access. LAPSUS$ has also been seen doing this, in the screenshot below from their Telegram page they state, “no limit is placed on the amount of calls that can be made”. In the example they give, 100 MFA notifications at 1 AM may very well have a high success rate. After the victim has confirmed the MFA notification, the attackers then visit the MFA enrollment portal and enroll another device.
The LAPSUS$ group is a cybercrime group that has recently achieved infamy or perhaps become a well-acquainted nuisance for many corporate security teams, including that of Okta, Microsoft, NVIDIA, Samsung, and recently Globnet, a Luxembourg software development company. While this tactic is heavily relied upon by LAPSUS$, people have been falsely crediting them for the creation of MFA prompt bombing. This simply isn’t the case; this method has been around for quite some time (roughly two years prior to LAPSUS$’s rise to infamy. While LAPSUS$ does frequently take the approach of compromise from annoyance, there are other techniques that perform the same task and may not raise as many flags during an internal log review.
The first method is the one used by LAPSUS$, sending an overwhelming amount of MFA requests, ceasing to stop in hopes that the target will finally accept one of them and make the constant requests stop. The second method is much stealthier and less likely to be reported or remembered by employees and more difficult to see in logs. This method includes issuing one or two prompts a day (most likely during the user’s normal workday). This attracts less attention from employees and security teams alike and still has a relatively high chance of success. The last method requires a bit more social engineering than the others. The attacker will call and pretend to be a member of the company, likely IT support staff. They will tell the victim that they need to accept the MFA request as part of an internal test of the company’s systems and processes.
Annoying but effective
Although this article highlights a pitfall of MFA, and while it can be viewed as a hassle for some employees, it is still an extremely effective tool at preventing unauthorized initial access. Any type of MFA is better than none. Even something as clunky and fallible as SMS issued one-time passwords are better than having nothing. With nation state sponsored actors and now teenagers utilizing these techniques to powerful companies such as Microsoft, Okta, and NVIDIA, it underscores the importance of MFA in security architecture.
Brian Krebs from KrebsOnSecurity wrote “while it may be tempting to dismiss LAPSUS$ as an immature and fame-seeking group, their tactics should make anyone in charge of corporate security sit up and take notice.” While MFA Bombing may not be a novel idea, it is now becoming more ubiquitous given its recent limelight and rate of success.
Creator1 
Leave a comment