Two-factor authentication (also known as 2FA) is used for additional security when logging in, which is otherwise usually only secured with a password and user name. In some cases, multi-factor authentication (MFA) is also used for this purpose. Some of these systems now show security vulnerabilities that the ransomware group Lapsus$ has exploited. Victims of the attacks included Microsoft, Okta, Nvidia and Samsung.
Find out what's behind it here.
How two-factor or multi-factor authentication works
In the case of authentication via a further factor in addition to password and user name, many providers rely on acceptance of a push notification from a corresponding app on the smartphone. Others also let the customer receive a call, where the customer has to press a certain key as another factor.
Since there is no limit to the authentication attempts, this is where the Lapsus$ group comes in.
Hacking via "MFA Bombing
So-called "MFA bombing" refers to a process in which the attacker sends as many MFA requests to the user's corresponding device until the user accepts the authentication. Thus, a non-authorized person gains access to the account via a device newly registered by him with little detection.
"Call the employee 100 times at 1 a.m. while he is trying to sleep, and he will most likely answer it eventually. Once the employee answers a call, the MFA registration portal can be accessed and another device can be registered," a member of the Lapsus$ group reportedly wrote in a chat.
The basic procedure of "MFA bombing" is well known. It is all the more frightening that it has worked so often, and apparently even unnoticed. This was also the case at Microsoft, among others.
Damage to Microsoft, Okta, Nvidia and Samsung
Just recently, Microsoft and Okta reviewed unauthorized server access.
Microsoft did not initially confirm any unauthorized access. It was initially assumed that a repository with Azure DevOps source code was the target of the attackers. Recently, however, Microsoft reported attacks in which the perpetrators published a large part of the source code of Bing, Bing Maps and Cortana, among other things. In total, 37 GBytes from 250 different software projects were involved.
Okta is used as an identity and access management service provider by Cloudflare, among others. Cloudflare reported the incident, but assured that there was no evidence of a compromise.
Security researchers also pointed out that the attackers' target could be Okta customers' data. Allegedly leaked internal data was already circulating. Later Okta confirmed that there were already access attempts at the end of January. It was not possible to clarify who the attacker was; in any case, there are said to have been no further attempts since then.
Nvidia and Samsung already recognized malicious code signed with a certificate from Nvidia, so that operating systems trust it. The attackers allegedly tapped 1 TByte of data from Nvidia. Nvidia responded with a counterattack. However, Lapsus$ had already created a backup of the data, which the group now wants to publish piece by piece after unsuccessful attempts to blackmail Nvidia. The group published the 190 GB of captured data from Samsung via torrents.
Time will tell how great the damage potential for customers of these large corporations can still become. In the case of attacks via legitimate employee accounts, it is always difficult to say whether the attackers are really no longer up to their mischief in the networks and complex systems of the corporations or have already deposited backdoors there for future attacks.
Do you want to know that your information security is in good hands? Feel free to contact our team of experts!