Researchers have discovered that Nobelium—the threat actor behind the infamous SolarWinds supply-chain attack, the Sunburst backdoor, TEARDROP malware, GoldMax malware, and other malicious activities—has found a way to use stolen credentials even when they require multi-factor authentication that relies on smartphone push notifications.
And the technique used by this highly sophisticated threat actor? Nag users until they get bored.
In a report by Mandiant that describes several attack stages and scenarios by this group, one that jumped out at me involved the threat actor compromising service providers, and then using the privileged access and credentials belonging to these providers, to compromise downstream customers.
Attackers used the stolen credentials in a login page, which triggered a push notification to a device belonging to the credentials' rightful owner. In theory the attacks should have been stopped there, because one of the two factors required for authentication—the push notification—needed the victim's consent. In practice, that didn't always work.
Nobelium used several tactics to get hold of valid credentials:
- CRYPTBOT, an info-stealing malware.
- Spear phishing campaigns.
- Password guessing or password spraying.
- Backdoors like FoggyWeb.
But often, having these credentials was not enough to gain access to the sensitive information the group was after. Most of the important services and assets required multi-factor authentication (MFA) authentication.
A brief introduction to MFA
Multi-factor authentication requires at least two different forms of authentication, from at least two out of three fairly broad categories:
- The “something you know” category is the factor we are most familiar with. It requires a person to enter information that they know in order to gain access to their account. Passwords and PIN codes are the most common examples, but things like security questions used by your bank also fall into this category.
- The “something you have” factor leans on something you have access to. That might be a separate email account or phone to which a verification code can be sent, but it can also be specialized hardware like a YubiKey.
- The “something you are” category centers on certain physical markers (biometrics) that can be analyzed by technology to prove your identity. The most common examples are fingerprints and face recognition.
The most common forms of multi-factor authentiction rely on a password (something you know) and a PIN code or push notification sent to your phone (something you have).
Push notifications as a second factor
Many MFA providers use a second factor that sends a push notification or phone call to a user's phone just after they've entered a password. Users are expected to press a key on a phone app to approve the login. (These fall into the “something you have” category, because you need physical access to the phone to approve the login.)
If a user receives a push notification out of the blue, at a time when they aren't trying to log in, that means somebody else is trying to use their password. If that happens they obviously aren't supposed to approve the login.
Mandiant's research reveals that a threat actor found a way around this form of authentication by simply issuing repeated MFA requests until the user became so bored, confused or frustrated they accepted.
Perhaps this shouldn't be a surprise. In circumstances where users are busy, pressed for time, or simply tired of dialog boxes or notifications, many have the gut reaction to do whatever it takes to stop the nuisance that is distracting them. If all they have to do is hit "OK" on a prompt (a prompt they have seen lots of times before when it was perfectly safe to hit "OK"), many may not even think twice. Or if they do, it will be too late.
Push vs SMS
Push notifications are often seen as an improvement over a more widely used but less secure form MFA that relies on SMS messages. Instead of hitting "OK" on a push notification, users enter a code—sent by SMS to their phone—alongside their username and password.
This attack shows that logic might not be right, at least not for everyone. Because push notifications are triggered automatically they could potentially be used in a “spray and pray” type of attack, where the threat actor tries to break into many different accounts at the same time, hoping that lots of people will absent-mindedly hit OK.
By contrast, attackers who want to compromise SMS-based MFA have to find a way to intercept the code being sent to the victim. Attacks often do this by persuading the victim's cellphone carrier that they own the number and want to move it to a different phone, which puts the attacker in possession of the victim's "someting you have". Although this is highly effective, and serious enough that it's causing people to move away from SMS-based MFA, it is very difficult to compromise lots of different phone numbers with this kind of "SIM swap" attack at the same time. So while it is very effective in targeted attacks, SIM swapping is completely unsuitable for large-scale attacks.
It's also worth noting that the reflex to click "OK" to stop the annoying prompts does not work for SMS.
SMS authentication can potentially be exploited on a large scale by phishing though. If attackers can lure victims to a fake login page they can capture their usernames, passwords, and 2FA codes and then forward them to the real login page. Obviously, due to the normally very limited lifespan of the code, the attacker will have to be fast.
Both SMS and push notication-based MFA are improvements over no MFA at all, but both have their flaws. As an organization you should consider using a more restrictive type of MFA, at least for important assets.
Hardware keys are a much more robust second factor. They may be more expensive, but imagine the cost of a major breach they could save you from.
Until you start using hardware keys, we hope that if you receive an unexpected prompt you will alert your security team, rather than try to get rid of it as fast as you can.
Stay safe, everyone!