Two-Factor Fake Attempts (T1621) v2

Two-Factor Authentication (2FA) Request Generation: An Overview

Two-Factor Authentication (2FA) Request Generation is a sophisticated cyber attack technique that has gained prominence in recent years. This method involves creating multiple 2FA requests to a target's device or application, with two primary objectives: to trick the target into approving a fraudulent authentication request, or to overwhelm and disrupt legitimate authentication attempts. As 2FA has become a standard security measure, threat actors have adapted their strategies to exploit this additional layer of protection.

Notable Incidents and Timeline

The evolution of 2FA Request Generation attacks can be traced through several high-profile incidents. From 2018 to 2020, the Russia-based APT group APT29, also known as Cozy Bear, conducted multiple campaigns targeting government and defense sectors. Their sophisticated approach involved manipulating 2FA systems to gain unauthorized access to sensitive accounts. This group, suspected to be linked to Russian intelligence, was also implicated in the SolarWinds breach and the 2016 DNC hack, showcasing their advanced capabilities and persistent threat to national security.

In 2018, the cybersecurity community observed the widespread use of Evilginx2, a phishing toolkit designed to capture 2FA tokens by generating fraudulent requests. This open-source tool, while not inherently malicious, became a favorite among threat actors for its effectiveness in man-in-the-middle attacks against major platforms like Google and Facebook.

The following year, 2019, saw the financially motivated cybercriminal group FIN7 (also known as Carbanak) leveraging 2FA request flooding for monetary gain. Their tactics included social engineering users to approve unauthorized requests, primarily targeting banks, point-of-sale systems, and the hospitality industry.

Mid to late 2020 marked the emergence of APT35 (Phosphorous), an Iranian threat actor group, which specifically targeted activist groups by exploiting vulnerabilities in SMS-based 2FA systems. This group's activities highlight the political motivations behind some 2FA exploitation attempts, often focusing on dissidents and political adversaries.

More recently, in 2022, the Lapsus$ hacking group made headlines with their aggressive tactics targeting corporate accounts through multiple 2FA requests. Their high-profile breaches of tech giants like Microsoft, NVIDIA, and Okta demonstrated the evolving sophistication of these attacks and their potential for significant disruption.

Technical Details of Campaigns

The technical approaches used in these campaigns often start with sophisticated spear-phishing attacks. Threat actors create convincing emails or messages that lead victims to cloned web pages, often hosted by phishing kits like Evilginx2. Once credentials are obtained, the attackers use them to generate repeated 2FA requests, attempting to capture authenticator app tokens or SMS codes.

A common tactic involves flooding targets with 2FA alerts, often late at night, exploiting victim confusion or fatigue to gain approval. This social engineering aspect is crucial, as it preys on human psychology and the natural tendency to want to resolve persistent notifications.

Defensive Measures and Recommendations

To combat these evolving threats, cybersecurity experts recommend several defensive measures. Implementing hardened Multi-factor Authentication (MFA) solutions, such as physical security keys, provides a more robust defense compared to SMS or app-based 2FA. Organizations should also employ behavioral analysis and anomaly detection systems to monitor for unusual patterns, like multiple 2FA requests in short succession.

Education and awareness remain critical components of any defense strategy. Regular training sessions should inform users about the risks and signs of 2FA misuse, emphasizing the importance of vigilance even with seemingly secure authentication methods.