Attackers can bypass push-based multi-factor authentication by repeatedly triggering login prompts and persuading the user to approve them. The method relies on valid account credentials, a login portal that uses push-based MFA such as VPN or cloud services, and a victim who receives alerts for each attempt. Attackers may use prompt bombing alone or combine it with vishing calls that impersonate IT support to wear down the target. If the user approves the prompt, the attacker is logged in as the victim and security monitoring may not flag the activity because the login appears legitimate. The 2022 Cisco breach shows how this can succeed even against mature security programs when credentials are obtained and prompts are pushed to a phone.
"The attack requires three key elements to work: Valid account credentials, usually sourced from breached password dumps on the dark web; A login portal that uses push-based MFA (such as a VPN, Microsoft 365, Okta, or Duo); A victim who is alerted every time the attacker tries the login. Attackers repeatedly trigger the prompt, attempting to trick the target or wear them down to approve the request. Sometimes, attackers will pair prompt bombing with a vishing call pretending to be from IT, where they will try to socially engineer the target."
"If the prompt is approved, the attacker is logged in as that user. Security systems typically won't be alerted, as the login looks entirely legitimate. The danger is that these methods only need to work once. Attackers repeatedly trigger the prompt, attempting to trick the target or wear them down to approve the request."
"The 2022 Cisco breach is a key example of how effective this technique is against even mature security programs. An attacker linked to the Yanluowang ransomware group compromised a Cisco employee's personal Google account, which was syncing browser-stored credentials, including the employee's Cisco VPN password. From there, the attacker pushed MFA prompts to the employee's phone. That initially didn't work, so they began using vishing calls posing as trusted support organizations, speaking in various accents, and eventually convincing the employee to accept a"
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]