Multi-Factor Authentication Request Generation

Multi-Factor Authentication Request Generation [T1621]

Information

Name: Multi-Factor Authentication Request Generation
ID: T1621
Tactics:

Introduction

Multi-Factor Authentication (MFA) Request Generation is a technique identified within the MITRE ATT&CK framework (Technique ID: T1621) under the Credential Access tactic. Attackers leverage this method to prompt legitimate users with unsolicited MFA requests, hoping users unintentionally approve them. This technique exploits user fatigue or confusion, ultimately allowing attackers unauthorized access to protected resources.

Deep Dive Into Technique

Attackers employing MFA Request Generation typically execute the following steps and mechanisms:

Credential Acquisition: Attackers initially obtain valid user credentials through phishing, credential stuffing, or password spraying attacks.
Triggering MFA Requests: After obtaining valid credentials, attackers repeatedly attempt authentication, causing legitimate users to receive multiple MFA prompts on their devices.
User Fatigue (MFA Fatigue): Attackers rely on user confusion or fatigue, hoping users mistakenly approve the MFA request, granting attackers access.
Social Engineering Component: In some scenarios, attackers may directly contact users (via phone calls, SMS, or emails) posing as IT support, urging the user to approve the MFA request.
Technical Execution Methods:
- Automated scripts or bots to repeatedly trigger MFA prompts.
- Manually triggering MFA requests using compromised credentials.
- Leveraging legitimate cloud services and authentication providers (Azure AD, Okta, Duo Security) to generate MFA requests.

When this Technique is Usually Used

Attackers typically utilize MFA Request Generation during the following attack scenarios and stages:

Initial Access Stage: Attackers attempt to bypass initial security controls after obtaining valid credentials.
Persistence Stage: Attackers repeatedly trigger MFA prompts to maintain or regain access after initial compromise.
Privilege Escalation and Lateral Movement: Attackers may use compromised credentials and MFA fatigue to escalate privileges or move laterally within environments.
Targeted Phishing Campaigns: MFA Request Generation is frequently used alongside spear-phishing attacks targeting specific individuals within organizations.
Account Takeover Attacks: Attackers leverage MFA fatigue techniques to take control of high-value user accounts, such as administrators or executives.

How this Technique is Usually Detected

Organizations can employ the following detection methods, tools, and indicators to identify MFA Request Generation attacks:

Behavioral Analytics and Monitoring:
- Unusual spikes in MFA request volume for specific users or groups.
- Repeated failed MFA attempts from unfamiliar IP addresses or geographic locations.
Security Information and Event Management (SIEM):
- Correlation rules identifying multiple MFA requests within short timeframes.
- Alerts triggered by repeated MFA failures or unusual authentication patterns.
Endpoint Detection and Response (EDR) and User and Entity Behavior Analytics (UEBA):
- Detection of anomalous user behavior patterns and abnormal authentication activity.
Identity and Access Management (IAM) Solutions:
- Monitoring and alerting for unusual MFA activity, including multiple denied or unanswered MFA prompts.
Specific Indicators of Compromise (IoCs):
- Multiple MFA requests generated within short intervals.
- MFA requests originating from unknown or suspicious IP addresses or regions.
- User reports or helpdesk tickets indicating unsolicited MFA requests or suspicious login attempts.

Why it is Important to Detect This Technique

Early detection of MFA Request Generation is critical due to the following potential impacts and risks:

Unauthorized Access: Successful MFA fatigue attacks lead to unauthorized access to sensitive data, critical applications, and infrastructure.
Data Breaches and Exfiltration: Attackers gaining unauthorized access may exfiltrate sensitive information, intellectual property, or personally identifiable information (PII).
Account Takeover and Privilege Escalation: Compromised accounts may escalate privileges, allowing attackers to gain administrative control over critical systems.
Reputational Damage: Organizations suffering successful MFA fatigue attacks experience loss of trust, customer confidence, and potential regulatory penalties.
Operational Disruption: Attackers leveraging unauthorized access can disrupt business operations, causing downtime and financial losses.
Compliance Violations: Failure to detect and mitigate MFA fatigue attacks may lead to regulatory non-compliance and associated penalties.

Examples

Real-world examples demonstrating MFA Request Generation attacks include:

Uber Breach (2022):
- Attack Scenario: Attacker obtained employee credentials and repeatedly sent MFA push notifications, eventually contacting the employee via WhatsApp, posing as IT support and convincing the employee to accept the request.
- Tools Used: Social engineering via WhatsApp, credential harvesting techniques.
- Impact: Unauthorized access to internal systems, exposure of sensitive data, and significant reputational damage.
LAPSUS$ Group Attacks (2022):
- Attack Scenario: Targeted large technology companies by repeatedly initiating MFA prompts until employees mistakenly approved requests.
- Tools Used: Credential theft, MFA fatigue techniques, social engineering via phone calls and messaging.
- Impact: Compromise of internal systems, data exfiltration, and extensive media coverage highlighting security weaknesses.
Microsoft Incident (2022):
- Attack Scenario: Attackers used MFA fatigue techniques targeting Microsoft employees, repeatedly triggering MFA notifications until an employee mistakenly approved the request.
- Tools Used: Persistent MFA request triggering, credential theft methods.
- Impact: Limited compromise of internal systems, prompting Microsoft to implement additional security measures and awareness training.
Cisco Systems Breach (2022):
- Attack Scenario: Attackers obtained valid credentials and repeatedly triggered MFA prompts, followed by direct contact with the employee, posing as trusted support personnel.
- Tools Used: MFA fatigue, social engineering via phone calls, credential harvesting.
- Impact: Unauthorized access to Cisco internal network, highlighting the need for enhanced MFA security measures and employee awareness training.

Last updated 1 month ago

Introduction

Deep Dive Into Technique

Attackers employing MFA Request Generation typically execute the following steps and mechanisms:

Credential Acquisition: Attackers initially obtain valid user credentials through phishing, credential stuffing, or password spraying attacks.

Triggering MFA Requests: After obtaining valid credentials, attackers repeatedly attempt authentication, causing legitimate users to receive multiple MFA prompts on their devices.

User Fatigue (MFA Fatigue): Attackers rely on user confusion or fatigue, hoping users mistakenly approve the MFA request, granting attackers access.

Social Engineering Component: In some scenarios, attackers may directly contact users (via phone calls, SMS, or emails) posing as IT support, urging the user to approve the MFA request.

Technical Execution Methods:

Automated scripts or bots to repeatedly trigger MFA prompts.
Manually triggering MFA requests using compromised credentials.
Leveraging legitimate cloud services and authentication providers (Azure AD, Okta, Duo Security) to generate MFA requests.

When this Technique is Usually Used

Attackers typically utilize MFA Request Generation during the following attack scenarios and stages:

Initial Access Stage: Attackers attempt to bypass initial security controls after obtaining valid credentials.

Persistence Stage: Attackers repeatedly trigger MFA prompts to maintain or regain access after initial compromise.

Privilege Escalation and Lateral Movement: Attackers may use compromised credentials and MFA fatigue to escalate privileges or move laterally within environments.

Targeted Phishing Campaigns: MFA Request Generation is frequently used alongside spear-phishing attacks targeting specific individuals within organizations.

Account Takeover Attacks: Attackers leverage MFA fatigue techniques to take control of high-value user accounts, such as administrators or executives.

How this Technique is Usually Detected

Organizations can employ the following detection methods, tools, and indicators to identify MFA Request Generation attacks:

Behavioral Analytics and Monitoring:

Unusual spikes in MFA request volume for specific users or groups.
Repeated failed MFA attempts from unfamiliar IP addresses or geographic locations.

Security Information and Event Management (SIEM):

Correlation rules identifying multiple MFA requests within short timeframes.
Alerts triggered by repeated MFA failures or unusual authentication patterns.

Endpoint Detection and Response (EDR) and User and Entity Behavior Analytics (UEBA):

Detection of anomalous user behavior patterns and abnormal authentication activity.

Identity and Access Management (IAM) Solutions:

Monitoring and alerting for unusual MFA activity, including multiple denied or unanswered MFA prompts.

Specific Indicators of Compromise (IoCs):

Multiple MFA requests generated within short intervals.
MFA requests originating from unknown or suspicious IP addresses or regions.
User reports or helpdesk tickets indicating unsolicited MFA requests or suspicious login attempts.

Why it is Important to Detect This Technique

Early detection of MFA Request Generation is critical due to the following potential impacts and risks:

Unauthorized Access: Successful MFA fatigue attacks lead to unauthorized access to sensitive data, critical applications, and infrastructure.

Data Breaches and Exfiltration: Attackers gaining unauthorized access may exfiltrate sensitive information, intellectual property, or personally identifiable information (PII).

Account Takeover and Privilege Escalation: Compromised accounts may escalate privileges, allowing attackers to gain administrative control over critical systems.

Reputational Damage: Organizations suffering successful MFA fatigue attacks experience loss of trust, customer confidence, and potential regulatory penalties.

Operational Disruption: Attackers leveraging unauthorized access can disrupt business operations, causing downtime and financial losses.

Compliance Violations: Failure to detect and mitigate MFA fatigue attacks may lead to regulatory non-compliance and associated penalties.

Examples

Real-world examples demonstrating MFA Request Generation attacks include:

Uber Breach (2022):

Attack Scenario: Attacker obtained employee credentials and repeatedly sent MFA push notifications, eventually contacting the employee via WhatsApp, posing as IT support and convincing the employee to accept the request.
Tools Used: Social engineering via WhatsApp, credential harvesting techniques.
Impact: Unauthorized access to internal systems, exposure of sensitive data, and significant reputational damage.

LAPSUS$ Group Attacks (2022):

Attack Scenario: Targeted large technology companies by repeatedly initiating MFA prompts until employees mistakenly approved requests.
Tools Used: Credential theft, MFA fatigue techniques, social engineering via phone calls and messaging.
Impact: Compromise of internal systems, data exfiltration, and extensive media coverage highlighting security weaknesses.

Microsoft Incident (2022):

Attack Scenario: Attackers used MFA fatigue techniques targeting Microsoft employees, repeatedly triggering MFA notifications until an employee mistakenly approved the request.
Tools Used: Persistent MFA request triggering, credential theft methods.
Impact: Limited compromise of internal systems, prompting Microsoft to implement additional security measures and awareness training.

Cisco Systems Breach (2022):

Attack Scenario: Attackers obtained valid credentials and repeatedly triggered MFA prompts, followed by direct contact with the employee, posing as trusted support personnel.
Tools Used: MFA fatigue, social engineering via phone calls, credential harvesting.
Impact: Unauthorized access to Cisco internal network, highlighting the need for enhanced MFA security measures and employee awareness training.