GCP Multiple Failed MFA Requests Imply MFA Fatigue Attack
Detection of multiple failed multi-factor authentication (MFA) requests for a single user in Google Cloud Platform (GCP) within a short time window, potentially indicating an MFA fatigue attack attempting to bypass MFA and gain unauthorized access.
This analytic focuses on identifying potential MFA fatigue attacks targeting Google Cloud Platform (GCP) users. The technique involves an attacker repeatedly sending MFA push notifications or other authentication requests to a victim, overwhelming them in the hope they will eventually approve a request, either accidentally or to stop the barrage. This attack is particularly effective against users who are not technically savvy or who are under pressure to quickly resolve issues. The detection logic triggers when a user experiences 10 or more failed MFA attempts within a 5-minute window, based on Google Workspace login failure events. This is a notable indicator of a potential compromise attempt, as legitimate users rarely fail MFA multiple times in such a short period. Identifying and responding to these events promptly is crucial to prevent unauthorized access and potential privilege escalation within the GCP environment. The activity aligns with observed techniques used by threat actors like LAPSUS$ and Russian government-backed groups.
Attack Chain
- Attacker obtains a valid username and password through phishing, credential stuffing, or purchasing stolen credentials.
- Attacker attempts to log in to a GCP service or application using the compromised credentials.
- The GCP environment prompts the user for MFA.
- Attacker initiates a large number of login attempts within a short timeframe.
- Each login attempt triggers an MFA request to the legitimate user's device (phone, authenticator app, etc.).
- The user is bombarded with MFA push notifications or prompts, leading to "MFA fatigue."
- The user, either accidentally or intentionally, approves one of the MFA requests.
- Attacker successfully authenticates and gains unauthorized access to the GCP account.
Impact
Successful MFA bypass can lead to complete account takeover, allowing the attacker to access sensitive data, modify configurations, escalate privileges, and potentially deploy malicious workloads within the GCP environment. Depending on the compromised account's permissions, the attacker could gain control over critical infrastructure, leading to data breaches, service disruptions, or financial losses. Previous MFA fatigue attacks have resulted in significant compromises, including access to government and business systems.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect multiple failed MFA requests (see
rules). - Review and tune the threshold and time window in the Sigma rule based on your organization's baseline MFA behavior (see
rules). - Investigate any alerts generated by the Sigma rule to determine the legitimacy of the failed MFA attempts.
- Enforce stricter MFA policies, such as requiring number matching or hardware security keys, to mitigate MFA fatigue attacks.
- Educate users about MFA fatigue attacks and the importance of carefully reviewing MFA requests.
- Consider implementing adaptive authentication measures that analyze login behavior and block suspicious requests.
Detection coverage 2
GCP Multiple Failed MFA Requests
highDetects multiple failed MFA requests for a single user within a short time window, indicating a potential MFA fatigue attack.
GCP Failed MFA Request with new IP
mediumDetects multiple failed MFA requests originating from a new IP address, suggesting potential attacker activity.
Detection queries are available on the platform. Get full rules →