{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mfa-fatigue/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Google Cloud Platform","Google Workspace"],"_cs_severities":["high"],"_cs_tags":["gcp","mfa","mfa-fatigue","credential-access"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eThis analytic focuses on identifying potential MFA fatigue attacks targeting Google Cloud Platform (GCP) users. The technique involves an attacker repeatedly sending MFA push notifications or other authentication requests to a victim, overwhelming them in the hope they will eventually approve a request, either accidentally or to stop the barrage. This attack is particularly effective against users who are not technically savvy or who are under pressure to quickly resolve issues. The detection logic triggers when a user experiences 10 or more failed MFA attempts within a 5-minute window, based on Google Workspace login failure events. This is a notable indicator of a potential compromise attempt, as legitimate users rarely fail MFA multiple times in such a short period. Identifying and responding to these events promptly is crucial to prevent unauthorized access and potential privilege escalation within the GCP environment. The activity aligns with observed techniques used by threat actors like LAPSUS$ and Russian government-backed groups.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid username and password through phishing, credential stuffing, or purchasing stolen credentials.\u003c/li\u003e\n\u003cli\u003eAttacker attempts to log in to a GCP service or application using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe GCP environment prompts the user for MFA.\u003c/li\u003e\n\u003cli\u003eAttacker initiates a large number of login attempts within a short timeframe.\u003c/li\u003e\n\u003cli\u003eEach login attempt triggers an MFA request to the legitimate user's device (phone, authenticator app, etc.).\u003c/li\u003e\n\u003cli\u003eThe user is bombarded with MFA push notifications or prompts, leading to \u0026quot;MFA fatigue.\u0026quot;\u003c/li\u003e\n\u003cli\u003eThe user, either accidentally or intentionally, approves one of the MFA requests.\u003c/li\u003e\n\u003cli\u003eAttacker successfully authenticates and gains unauthorized access to the GCP account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful MFA bypass can lead to complete account takeover, allowing the attacker to access sensitive data, modify configurations, escalate privileges, and potentially deploy malicious workloads within the GCP environment. Depending on the compromised account's permissions, the attacker could gain control over critical infrastructure, leading to data breaches, service disruptions, or financial losses. Previous MFA fatigue attacks have resulted in significant compromises, including access to government and business systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect multiple failed MFA requests (see \u003ccode\u003erules\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and tune the threshold and time window in the Sigma rule based on your organization's baseline MFA behavior (see \u003ccode\u003erules\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the failed MFA attempts.\u003c/li\u003e\n\u003cli\u003eEnforce stricter MFA policies, such as requiring number matching or hardware security keys, to mitigate MFA fatigue attacks.\u003c/li\u003e\n\u003cli\u003eEducate users about MFA fatigue attacks and the importance of carefully reviewing MFA requests.\u003c/li\u003e\n\u003cli\u003eConsider implementing adaptive authentication measures that analyze login behavior and block suspicious requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-gcp-failed-mfa/","summary":"Detection of multiple failed multi-factor authentication (MFA) requests for a single user in Google Cloud Platform (GCP) within a short time window, potentially indicating an MFA fatigue attack attempting to bypass MFA and gain unauthorized access.","title":"GCP Multiple Failed MFA Requests Imply MFA Fatigue Attack","url":"https://feed.craftedsignal.io/briefs/2024-01-02-gcp-failed-mfa/"}],"language":"en","title":"CraftedSignal Threat Feed - Mfa-Fatigue","version":"https://jsonfeed.org/version/1.1"}