Identity-Based Attacks Increase, MFA-Thwarting Tactics Rise
Multifactor authentication (MFA) push notification fatigue attacks are increasing and are proving more effective, according to Expel’s quarterly threat report, based on data from the company’s customer base.
The report also indicated that automated orchestration is proving to be a big advantage, with the median time to perform a remediation action automated via orchestration dropping to just 15 seconds from nearly 100 minutes.
Expel’s security operations center (SOC) team saw that in more than 80% of successful business account compromise (BAC) attacks, MFA and conditional access were already configured.
Ben Brigida, director of security operations at Expel, said this was concerning because it demonstrated that MFA simply isn’t enough to prevent unauthorized access—and MFA fatigue attacks are likely a huge component of that.
“Attackers have found that simply overwhelming users with MFA requests is often enough to frustrate or annoy them into accepting,” he says. “Unfortunately, in doing so, they handed access to threat actors on a silver platter.”
MFA Fatigue
The report also noted only about half of the BAC incidents that were spotted resulted in the attacker successfully gaining access to the account; the other half were stopped by MFA or conditional access policies.
Brigida pointed out that MFA fatigue attacks are effective, in part, because threat actors rely on users’ humanity and the complexity of technology in general.
If there’s an opportunity to stop waves of annoying push notifications with the single click of a button, a lot of people are probably going to do so without realizing–or thinking about–the consequences, he said.
“Or the complexity is so high users don’t understand it’s a sign of an attack—instead thinking it must be something legitimate that they don’t fully understand that is generating the notifications,” he says. “The attacker’s goal is your frustration, annoyance and exhaustion.”
They want to wear users down so that they stop the alerts by any means necessary, providing them a foot in the door for potential compromise, he said.
Especially as more organizations turn to cloud access identity providers for single sign-on (SSO) capabilities, attackers only need access to one credential to gain access to critical business applications—not just email.
Brigida said that while MFA was a step in the right direction, attackers are just as capable of evolving as defenders—and they’re doing just that with the increase in these MFA fatigue attacks.
“For defenders to stay ahead, MFA will have to continue to evolve as threat actors do,” he says.
He suggests organizations can disable push notifications and instead require PINs or a Fast Identity Online (FIDO) compliant solution.
If that’s unrealistic, another option is to control push notifications using a number-matching setting that requires users to enter codes from an identity platform, which he says could “significantly reduce” the risks associated with credential theft through phishing.
JavaScript Files, Zipped ISO Files Popular Delivery Vectors
Brigida explained that in the past, macro-enabled Microsoft Word documents and Excel 4.0 macros were popular as an initial attack vector for pre-ransomware incidents.
Microsoft’s decision to block macros by default in Microsoft 365 applications earlier this year changed the game for attackers, forcing them to all but abandon those tactics in favor of zipped JavaScript and ISO files to gain initial entry to Windows-based environments.
“Our SOC team found that this method of malware delivery accounted for 70% of all pre-ransomware incidents, a significant rise as attackers pivot to new delivery methods in anticipation of Microsoft’s action,” he said.
He added that identity-based attacks, including credential theft, credential abuse and long-term access key theft, show no signs of slowing down, and will likely continue to be a challenge facing organizations into 2023.
The report found these attacks accounted for 59% of all incidents fielded this past quarter, an increase of three percentage points compared to Q2.
“As this attack method becomes more popular, organizations need to evolve their defense beyond single-factor authentication–even if it’s backed by conditional access,” Brigida says.
That means organizations should continue building strong cybersecurity resilience, and a great first step is combining conditional access policies with multi-factor authentication and phish-resistant FIDO security keys.
“Multifactor authentication is still an important piece of the puzzle, but going a step further can make it significantly more secure,” he says.
