This is contributed by Christopher Laasch, Lead Security Analyst at Cal Poly Pomona having been there for 23 years. I have provided some edits to make it flow in a blog.
We are seeing an uptick of Multifactor Authentication (MFA) Bombing or "Prompt Bombing" Attacks, and I was given a wonderful elaborate breakdown from my Colleague Christopher Laasch, who kindly allowed us to share on our blog this week. This is a high level breakdown of how to explain this attack to users and executives alike and improve security in the face of attackers trying to compromise your MFA.
Overview from the users perspective:
MFA prompt bombing is an attempt to trick a user into completing an MFA security request. In these cases, the threat actor has the users password and username. They then social engineer the user into helping them bypass MFA. The methods used are:
Question: How do Attackers know who to target?
Recall from the REN-ISAC lists that there are known lists of usernames and passwords available on the internet. Once hacking groups decide they have the right targets, they will then attack those targets. As we have seen with several of the DUO alerts, there have been users who have been previously compromised in phishing scams so their usernames and passwords are known and they have pushed the fraud alert in Duo.
Push Notification Targeting Methods:
Universities that use Duo and have been managing this attack:
Groups known to be using this attack: APT29, Cozy Bear, Lapsu$
Companies that have been compromised with this attack: Nvidia, Okata, Microsoft, Solarwinds.
A video example of the attack (could not find one for Duo)
Recommendations to mitigate the attacks: