Published: Sep 22, 2022
Last week, Uber confirmed a major cybersecurity attack that compromised its internal communications and engineering systems. The company believes that someone affiliated with the hacking group Lapsus$ leveraged the MFA fatigue attack technique to compromise an Uber employee account.
According to the New York Times, the hackers social engineered the company’s worker after discovering his WhatsApp number. The intruders sent a direct message to the employee pretending to be an Uber IT staffer. They used the phishing technique to steal passwords and repeatedly sent multifactor authentication (MFA) login notifications. The Uber employee eventually accepted one of those login requests.
After gaining initial access, the attackers sent messages to a company-wide Slack channel announcing the massive security breach and reconfigured Uber’s OpenDNS. The screenshots revealed that the hackers had access to various internal systems, including G Suite accounts, Amazon Web Services, and code repositories.
An MFA fatigue attack is “the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving.” Threat actors are increasingly using this technique to target large organizations, such as Microsoft and Cisco.
Security researchers have advised organizations to add additional context (such as the application name and geographic location) in MFA push notifications to prevent MFA fatigue attacks. It is also recommended to combine additional context with number matching to boost sign-in security.
IT admins can enable additional context in the Azure AD portal by following the steps listed below:
It is important to note that IT admins can only enforce this policy on Microsoft Authenticator users. This means that those who have not been enrolled won’t be able to see the application name or geographic location. Moreover, additional context supported is not available for Active Directory Federation Services (AD FS) and Network Policy Server (NPS).