At a glance.
- How to avoid a case of MFA Fatigue.
- Ambry Genetics reaches settlement in data breach lawsuit.
How to avoid a case of MFA Fatigue.
Bleeping Computer profiles a new social engineering technique that takes advantage of organizations’ multi-factor authentication process. While hackers have used tactics in the past to bypass multi-factor authentication, they usually rely on malware or phishing operations. What makes MFA Fatigue ( also known as “MFA push spam”) unique is that it doesn’t require malware or phishing, instead essentially weaponizing an organization’s own push notification system. MFA push notifications are often used to prompt the user to verify a login attempt, and in an MFA Fatigue operation, the attacker runs a script that attempts to use stolen credentials to log in repeatedly, inundating the account owner’s device with MFA push requests. The goal is to so overwhelm the target with notifications that they accidentally accept a MFA request, or approve it on purpose simply to put an end to the onslaught of messages.
The tactic has been successfully employed by the Lapsus$ and Yanluowang threat groups in recent high-profile attacks on Microsoft, Cisco, and most recently Uber. So how does someone avoid falling prey to MFA Fatigue? If you fear you are being targeted by such an attack, experts recommend alerting your company’s IT administrators directly, and also resetting the login credentials for the account being targeted, which should stop the flood of MFA spam. Some security professionals say companies should consider disabling MFA push notifications. If that’s not possible, another option is Microsoft's MFA number matching, or Verified Push in Duo, which is a feature that sends the user a series of numbers which must then be used to verify their identity.
Ambry Genetics reaches settlement in data breach lawsuit.
Health IT Security reports that Ambry Genetics, a genetic testing center located in the US state of California, reached a $12.25 million settlement to resolve a lawsuit stemming from a January 2020 breach that exposed the data of 232,772 patients. The attacker infiltrated an employee email account containing sensitive patient information including names, Social Security numbers, and diagnosis info, and Ambry was unable to determine whether any of the data were exfiltrated. Plaintiffs in the class action lawsuit alleged that Ambry failed to notify them about the breach until April 2020, exceeding HIPAA’s sixty-day breach notification requirement. They also claimed that the incident was “a direct result” of Ambry’s lack of cybersecurity measures to protect patient data, and that the data had ended up in the hands of cybercriminals, forcing the victims to spend time and money mitigate their risk through activities like administering credit checks, enlisting theft protection services, and and in some cases changing their Social Security numbers.
Although the settlement does not signify admission of guilt, Ambry has agreed to put $12.25 million into a settlement fund, with $2.25 million of that sum directed at credit monitoring and identity theft protection services. In addition submitting claims for up to $10,000 in reimbursement of out-of-pocket costs, class action members may submit claims for up to ten hours of documented time and up to three hours of default time – time spent by class members “attempting to remedy or remedying issues fairly traceable to the data breach” – at $30 per hour.