<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mfa-Fatigue - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/mfa-fatigue/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/mfa-fatigue/feed.xml" rel="self" type="application/rss+xml"/><item><title>GCP Multiple Failed MFA Requests Imply MFA Fatigue Attack</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-gcp-failed-mfa/</link><pubDate>Tue, 02 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-gcp-failed-mfa/</guid><description>Detection of multiple failed multi-factor authentication (MFA) requests for a single user in Google Cloud Platform (GCP) within a short time window, potentially indicating an MFA fatigue attack attempting to bypass MFA and gain unauthorized access.</description><content:encoded><![CDATA[<p>This analytic focuses on identifying potential MFA fatigue attacks targeting Google Cloud Platform (GCP) users. The technique involves an attacker repeatedly sending MFA push notifications or other authentication requests to a victim, overwhelming them in the hope they will eventually approve a request, either accidentally or to stop the barrage. This attack is particularly effective against users who are not technically savvy or who are under pressure to quickly resolve issues. The detection logic triggers when a user experiences 10 or more failed MFA attempts within a 5-minute window, based on Google Workspace login failure events. This is a notable indicator of a potential compromise attempt, as legitimate users rarely fail MFA multiple times in such a short period. Identifying and responding to these events promptly is crucial to prevent unauthorized access and potential privilege escalation within the GCP environment. The activity aligns with observed techniques used by threat actors like LAPSUS$ and Russian government-backed groups.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker obtains a valid username and password through phishing, credential stuffing, or purchasing stolen credentials.</li>
<li>Attacker attempts to log in to a GCP service or application using the compromised credentials.</li>
<li>The GCP environment prompts the user for MFA.</li>
<li>Attacker initiates a large number of login attempts within a short timeframe.</li>
<li>Each login attempt triggers an MFA request to the legitimate user's device (phone, authenticator app, etc.).</li>
<li>The user is bombarded with MFA push notifications or prompts, leading to &quot;MFA fatigue.&quot;</li>
<li>The user, either accidentally or intentionally, approves one of the MFA requests.</li>
<li>Attacker successfully authenticates and gains unauthorized access to the GCP account.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful MFA bypass can lead to complete account takeover, allowing the attacker to access sensitive data, modify configurations, escalate privileges, and potentially deploy malicious workloads within the GCP environment. Depending on the compromised account's permissions, the attacker could gain control over critical infrastructure, leading to data breaches, service disruptions, or financial losses. Previous MFA fatigue attacks have resulted in significant compromises, including access to government and business systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect multiple failed MFA requests (see <code>rules</code>).</li>
<li>Review and tune the threshold and time window in the Sigma rule based on your organization's baseline MFA behavior (see <code>rules</code>).</li>
<li>Investigate any alerts generated by the Sigma rule to determine the legitimacy of the failed MFA attempts.</li>
<li>Enforce stricter MFA policies, such as requiring number matching or hardware security keys, to mitigate MFA fatigue attacks.</li>
<li>Educate users about MFA fatigue attacks and the importance of carefully reviewing MFA requests.</li>
<li>Consider implementing adaptive authentication measures that analyze login behavior and block suspicious requests.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>gcp</category><category>mfa</category><category>mfa-fatigue</category><category>credential-access</category></item></channel></rss>