2022-03-29
Lapsus$, SolarWinds and MFA
The Lapsus$ cyber extortion group uses the same technique to bypass multi-factor authentication (MFA) that was used by the state-sponsored threat actors who launched the SolarWinds attack. Known as prompt-bombing, the technique involves inundating users with authentication requests via mobile phones.
Editor's Note
No legitimate business would ever communicate to customers in a manner that even came close to “prompt-bombing.” That makes this a good attack technique to educate users on, as it is pretty easy for them to recognize. More modern FIDO2-based MFA approaches are more resistant to this, but every form of authentication will have to have backup approaches that can be “bombed” as well.

John Pescatore
Red Teams have been using this technique for years as part of testing people and process in addition to the MFA implementation itself. Offense needs to continue to inform defense and defense inform offense. There is no reason this should be news or considered novel. If it is, your Red Team did not do their job.

Jorge Orchilles
here are two forms of this technique. The first overwhelms you with requests to approve a login and hopes you ultimately relent and let it in. The second is a few requests spread out in hopes you won’t notice and approve it without question. Make sure to train users to accept or allow only authentication permission requests they know are legitimate.

Lee Neely
UK Police arrested 7 males suspected of being part of the Lapsus$ gang. All but two have been released. The remaining two individuals are aged 16 and 17. They have been charged with various cyber-crime related offences and will appear in court. https://www.bbc.com/news/technology-60953527
