Since October 2023, these threat actors have been leveraging brute force attacks and exploiting multi-factor authentication (MFA) vulnerabilities to gain unauthorised access to sensitive systems, the groups said in a joint statement.
Subscribe today for free
The advisory details how these actors are using tactics like password spraying and exploiting weaknesses in MFA implementations to compromise the security of organisations across various sectors.
Of particular concern is the increasing use of a method known as "push bombing" or "MFA fatigue," where threat actors inundate users with repeated MFA prompts, hoping to manipulate them into granting access either by mistake or out of frustration.
MFA vulnerabilities
Raymond Carney, director of security response and zero-day research at Tenable, has weighed in on the implications of these vulnerabilities, emphasising the need for improved defences against such attacks.
According to Carney, one of the key vulnerabilities identified in the advisory, CVE-2024-9680, remains unpatched in nearly 63% of environments. This critical flaw in Firefox allows attackers to execute code remotely, posing a significant risk to unprotected systems.
However, Carney warns that technical defences alone may not be enough to thwart these attacks. "The joint advisory highlights a significant people and process problem," he said.
"If attackers can trick employees into handing over their credentials, it doesn’t matter what technical vulnerabilities they exploit — the last line of defence is already breached."
Push bombing, the manipulation of users through persistent MFA prompts, has become a popular tactic for cyber actors seeking to bypass security systems.
While phishing-resistant MFA offers the best protection against such attacks, Carney notes that alternatives like number matching—requiring users to input a specific code generated by the company’s identity system—can serve as a viable backup.
The potential consequences of these cyber intrusions are severe. Once access is gained, compromised systems can be sold on the black market, leading to a range of destructive outcomes.
Carney highlights the threat of ransomware attacks, data breaches, and disruptions to critical infrastructure, which could result in cascading effects like power outages or even water contamination.
"As operators of critical infrastructure, organisations have a responsibility to protect their systems from these types of attacks," Carney warned. "Failure to do so could lead to widespread damage with far-reaching impacts."
RELATED STORIES
Cisco hit by major breach: Hackers steal confidential data and source code
Analysis: The Lebanon explosions – A wake-up call for tech firms?
