Attack

Weak Security Controls

Last week, multiple government agencies released a joint Cybersecurity Advisory to raise awareness about insufficient security configurations, weak controls, and other areas where cyber criminals easily gain access to company networks. This advisory lists out the best practices to protect your systems and goes into them in detail:

• Control access.
• Harden credentials.
• Establish centralized log management.
• Use antivirus.
• Employ detection tools.
• Operate services exposed on internet-accessible hosts with secure configurations.
• Keep software updated.

This advisory also details some of the most common ways that attackers are gaining access to internal networks and explains the mitigation efforts that can be taken to prevent such attacks:

• Exploit Public-Facing Applications
• External Remote Services
• Phishing
• Trusted Relationship
• Valid Accounts

It is essential that all organizations read or review this advisory and become familiar with the list of common exploit paths that attackers take to easily gain access to systems within the internal network. “As long as these security holes exist, malicious cyber actors will continue to exploit them,” said NSA Cybersecurity Director Rob Joyce. “We encourage everyone to mitigate these weaknesses by implementing the recommended best practices.” This advisory can be reviewed in detail here.

nGuard provides a wide variety of both tactical and strategic security assessments that can assist your organization in becoming more secure across the board. Tactical security assessments like external penetration testing, internal penetration testing, and social engineering can point out easily exploitable flaws that could lead an attacker to gaining some type of network access. Managed security services like vulnerability management and centralized log management provide ongoing protection as your network is being scanned for known vulnerabilities on an ongoing basis. Strategic security assessments give you one on one time with a qualified consultant who can help you build layers of security from the ground up. If you are reading this advisory and have any questions, nGuard is ready to talk with you and see where assistance is needed.

What Is It?
Multi-factor authentication (MFA) prompt bombing is a specific social engineering attack that bombards its victims with countless MFA push notifications. Generally, when people think of social engineering attacks, they think of suspicious emails or unexpected phone calls. However, MFA prompt bombing can be an even more effective strategy to gain access to people’s data, due to the fact it specifically uses social engineering tactics that target the human factor.  Below are a few different ways these MFA prompt bombing attacks are carried out:

• Send a large number of MFA prompt requests in hopes the user accepts to stop the distraction or annoyance.
• Send only a small number each day in hopes a user accepts at some point. This method is stealthier and is more likely to fly under the radar as a malicious attack.
• Call the user advising them they need to send an MFA prompt and they need to accept it.

The victim may ignore the first few notifications or calls, but at some point, may click accept to stop the annoyance and get back to what they were focusing on – all while not realizing what they have just done.

More and more authentication portals are adding the ability or requirement to

enable MFA notifications as a secondary form of authentication. The Center for Internet Security (CIS) Control 6 – Access Control Management requires MFA for external facing applications, remote network access, and administrative access. This attack is on the rise and will not be going away any time soon.

Recent Attacks Using This Technique
Back in March, nGuard released a Security Advisory about the Lapsus$ Crime Gang infiltrating Microsoft, Okta, and others. It turns out the group utilized this technique to gain access to these organizations. Lapsus$, in their Telegram channel said, “No limit is placed on the number of calls that can be made. Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

The image below shows a conversation from their Telegram Channel discussing how they were going to attempt this attack:

The SolarWinds breach that occurred last year that allowed APT29 (Cozy Bear), a group out of Russia, to create backdoors in 18,000 SolarWinds customer’s environments utilized this very same technique.

nGuard’s Experience with MFA Prompt Bombing
nGuard has been using this attack in our social engineering methodology for quite some time. Using these tactics, nGuard has successfully gained access to client’s VPN portals protected by MFA to obtain internal network access numerous times. nGuard has also used this attack to gain access via an organization’s single sign-on (SSO) page, giving us access to many sensitive internal applications. To protect your organization from this attack you can:

• Conduct regular social engineering assessments to reinforce training.
• Train employees to only accept MFA prompts when they are actively authenticating to a service.
• Train employees to never give out MFA SMS codes to anyone.
• Report the unsolicited MFA prompts as fraudulent.
• Create alerts for anomalous events such as:
  • Time of access
  • Geolocation
  • Large number of MFA prompts events
• Draft a policy that states whether and how personal information is to be requested of employees via telephone.
• Conduct employee training to raise awareness of social engineering techniques.
• Train employees to identify and report suspicious requests for personal information.
• Segment employee workstations from higher security zones in the internal network to reduce exposure of critical internal systems to attack from compromised workstations.

If you want to test your users’ likelihood of falling victim to such social engineering attacks, contact your Account Executive or Security Consultant for more information.