Letโs get straight to it โ companies have been sold the idea that MFA is a magic bullet to prevent data breaches, it isnโt. It is simply a deterrent.
Social engineering is known to be a very effective way to bypass MFA (Multi-Factor authentication). Most commonly, through MFA fatigue or pretending to be from the I.T departmentโฆ With 323,972 social engineering attacks reported to the FBI between 2017-2021, it shouldnโt come as a huge surprise that a big juicy target like Uber & Rockstar were hit. Realistically, this number will increase dramatically, year after year.
Humans will always be the weakest link. You can be locked up like a fortress, but all it takes is a single clever attacker or an over-worked employee who is tired, for the attack to be successful. People naturally are less aware when their busy working, or if untrained, they arenโt equipped to spot the right signs of an MFA fatigue attack.
What is MFA fatigue?
An MFA Fatigue attack is when a malicious threat actor runs a script repeatedly, attempting to log in with stolen credentials again and again. This creates (what feels like) an endless stream of MFA push notifications, to be sent to the account ownerโs device.
Their intention? To break down the targetโs cyber security posture and inflict fatigue via the MFA prompts.
Training a user to report MFA prompts that they havenโt requested is pivotal in keeping your network secure. It should be best practice to teach all employees to ask questions like, โWhy would I.T call me about this? Is this normal?โ.
The Rockstar Attack.
With regards to the impersonation attack for Rockstar, people think this should be difficult to pull off in a big organisation, that is quite the opposite in my opinion. Smaller businesses know their employees. They know Dave from IT and they know that there is no John from IT. They know company practices and because work interrelationships are stronger, workers are more inclined to raise a concern when they have it.
In larger organisations, however, these can be lost. โIโve never spoken to anyone in IT before, so John must work hereโฆโ โ They donโt know what standard procedure is within IT departments and thatโs likely because itโs not a part of their day-to-day job.
So what can you do?
- A good defence against this type of attack would be to implement MFA with physical security keys. This adds an additional obstacle to attackers as they need the physical keys to access resources, even if they manage to trick a user.
- A zero-trust model could have possibly slowed the attacker down once they gained initial access. This model is designed to limit access so that people do not have more privilege/access than they need. This would have made lateral movement more difficult for the attacker.
Questions IT departments need to be asking.
- Are we prepared for insider attacks. Do we know how to respond and contain this type of incident?
- How is our network segregated and do we have multiple, vital systems on the same subnets where a hacker would be to traverse them?
Immediate take-aways.
- Assume no one is safe, that youโll be breached eventually and plan accordingly.
- Zero trust and rule of least privilege should be exercised wherever possible.
- Invest in your employees. They can be an extremely effective defence against attacks if they are properly trained.
- Teach employees how to report unwanted MFA prompts and suspicious phone calls โ make it best practice.
My thoughts? Uber & Rockstar shouldnโt be condemned outright for this attack โ unfortunately itโs true that most companies, big & small, could have fallen victim to this attack, and youโre only as strong as your weakest linkโฆ
