Hackers Lapsus $ and SolarWinds used an old scam to block MFA

Hackers Lapsus $ and SolarWinds used an old scam to block MFA

Photographic images

Multi-factor authentication (MFA) is an important protection among the best in preventing the taking of accounts. In addition to requiring users to provide a username and password, MFA ensures that they also use a new source – whether a fingerprint, a personal security key, or a one -time password. – before they can access an account. Nothing in this article is to be construed as any other MFA.

That said, some types of MFAs are more powerful than others, and current events have shown that these types of vulnerabilities are not a deterrent to certain hackers. In recent months, controversial children such as the Lapsus $ data extortion gang and elite Russian-state terrorists (such as Cozy Bear, the group behind the SolarWinds hack) have been successfully targeted. the shield.

Insert the MFA instant pump

The strongest features of MFA are based on a framework called FIDO2, developed by a consortium of companies that balances the benefits of security and ease of use. It gives end users the option of using fingerprint readers or cameras built into the app or dedicated security keys to verify authentication. they will enter an account. The FIDO2 features of MFA are new, so they are not used by many services for customers and large companies.

This is where the old and weak MFA types come in. They have one -time passwords that are sent via SMS and generated by mobile apps such as Google Authenticator or prompts that are sent to a mobile app. To log in with the correct password, they must enter the password once in a field on the login page or by clicking a button displayed on the screen of their phone.

This is the last kind of confirmation spoken of by past stories. One company that uses this technique, such as Mandiant’s security service, is Cozy Bear, a group of elite hackers working for Russia’s Foreign Intelligence Service. The group also runs under the Nobelium, APT29, and Dukes titles.

“Many MFA providers allow users to accept a phone message or receive a phone call and press a key as a secondary factor,” the Mandiant researchers wrote. “of the [Nobelium] The attacker used this and issued multiple MFA requests to the end user until the user agreed to the authentication, allowing the threat to access the account.

Lapsus $, a hacking group that broke into Microsoft, Okta, and Nvidia in recent months, also used the technology.

“There is no limit placed on the number of calls that can be made,” a member of Lapsus $ wrote in the company’s official Telegram style. “Call the employee 100 times at 1 o’clock while he or she is trying to fall asleep, and he or she is more than willing to accept. Once the employee agrees to the first call, you can enter the MFA registration portal and sign up somewhere else.

The Lapsus $ member said the MFA crackdown was a good move against Microsoft, saying earlier this week that the hacking company had been able to access the computers of some of its employees.

“Even Microsoft!” the man wrote. “It was possible to access the Microsoft VPN of an employee from Germany and the USA at the same time and they didn’t know. It was possible to re -register two MFAs.

Mike Grover, a vendor of red tape hacking tools for security services and a red tape advice goes hand in hand on Twitter. _MG_tell me that the technology “is the same method that takes many forms: tricking the user into accepting an MFA application.” MFA Bombing “quickly became an explanation, but this disappeared. wake up more quietly.

Here are some ways to do it:

  • Submitting a batch of MFA applications and hoping that the goal will be accepted will end the noise.
  • Sending one or two orders per day. This type of work is often introduced with less focus, but “it is better when the goal is to approve the MFA application.”
  • Calling the goal, pretend to be part of the organization, and state the goal they need to submit an MFA application for as part of the business process.

“It’s just examples,” Grover said, but it’s important to know that this isn’t just about the big bang. “

Somewhere Twitter sitehe wrote, “The red teams have been playing in different ways over this for years. It has helped the charities get a red team. But the global invaders are making progress at this pace. rather than improving the integration of most businesses. “

Other researchers are quick to point out that MFA technology is not new.

“Lapsus $ didn’t create a ‘fast’ MFA in shooting,” said Greg Linares, a red team general. tweeted. “Please stop lending to them… just like you did. This attacker was used in a real world war 2 years before lapsus was a thing. “

Related Posts

Leave a Reply

Your email address will not be published.