Cybercriminals are increasingly using social engineering to gain access to corporate credentials and breach networks. One of the popular techniques that is gaining traction is MFA Fatigue.

What’s MFA Fatigue?

Several cybercriminals have started using MFA Fatigue (aka MFA push spam) technique in their attacks.
  • An MFA Fatigue attack happens when an attacker runs a script to log in with stolen credentials over and over with frequent MFA push requests being sent to the account owner's device.
  • They tend to keep this up for a long period of time to cause a sense of fatigue related to these MFA prompts, and eventually break down the target's cybersecurity defense.
  • In most instances, the attackers push repeated MFA notifications and contact the target via email, messaging platforms, or phone, pretending to be IT support to fool the user into accepting the MFA prompt.
  • At last, the targets are overwhelmed that they unintentionally click on the Approve button or accept the MFA request to stop the barrage of notifications they are receiving on their phone. 

This method is turning out to be more successful as it does not need malware or phishing infrastructure.

Recent attacks 

This type of technique has been successfully performed by two threat actors Yanluowang and Lapsus$, when breaching well-known organizations.
  • Recently, the Lapsus$ group managed to successfully log in to the Uber account by using illegally obtained credentials, believed to be obtained from the dark web. Then the attacker proceeded with MFA Fatigue, connecting with the targeted victim on Whatsapp posing as IT support, and persuading them to accept the MFA prompt.
  • In yet another incident, the Yanluwang group assessed Cisco VPN via a compromised Google account and is believed to have sent a lot of push requests for bypassing MFA.

What to do?

If an employee is being targeted by an MFA Fatigue attack, do not panic and approve the MFA request. Instead, contact IT admins or supervisors and explain the ongoing situation. Further, disable MFA Push notifications and enable number matching for increased security.
Cyware Publisher