At a glance.
- Here’s how to avoid a case of MFA fatigue.
- Ambry Genetics Reaches Settlement in Data Breach Lawsuit.
Here’s how to avoid a case of MFA fatigue.
Bleeping Computer profiles a new social engineering technique that takes advantage of companies’ multi-factor authentication process. While hackers have historically used tactics to bypass multi-factor authentication, they usually rely on malware or phishing operations. What makes MFA fatigue (aka “MFA push spam”) unique is that it doesn’t require malware or phishing, but essentially arms an organization’s own push notification system. MFA push notifications are often used to prompt the user to confirm a sign-in attempt, and in an MFA fatigue operation, the attacker runs a script that attempts to sign in repeatedly using stolen credentials, causing the account owner’s device to be compromised with MFA push requests being inundated. The goal is for the target to be so overwhelmed with notifications that they accidentally accept an MFA request, or purposely approve it just to stop the message storm.
The tactic has been used successfully by threat groups Lapsus$ and Yanluowang in recent high-profile attacks on Microsoft, Cisco, and most recently Uber. So how do you avoid falling victim to MFA fatigue? If you fear becoming a target of such an attack, experts recommend alerting your company’s IT administrators directly and also resetting the credentials of the target account, which should stop the flood of MFA spam. Some security experts say organizations should consider disabling MFA push notifications. If that’s not possible, another option is Microsoft’s MFA number matching or Verified Push in Duo, a feature that sends the user a series of numbers that must then be used to verify their identity.
Ambry Genetics Reaches Settlement in Data Breach Lawsuit.
Health IT Security reports that Ambry Genetics, a California genetic testing center, has reached a $12.25 million settlement to resolve a lawsuit arising from a January 2020 violation in which the Data from 232,772 patients were disclosed. The attacker infiltrated an employee’s email account that contained sensitive patient information such as names, social security numbers, and diagnostic information, and Ambry was unable to determine if any data was exfiltrated. Plaintiffs in the class action allege that Ambry failed to notify them of the violation as of April 2020, exceeding HIPAA’s 60-day notification requirement. They also claimed that the incident was “a direct result” of Ambry’s lack of cybersecurity measures to protect patient data and that the data ended up in the hands of cybercriminals, forcing victims to spend time and money to mitigate their risk through activities such as conduct credit checks to mitigate, use anti-theft services and, in some cases, change their social security numbers.
Although the settlement does not constitute an admission of guilt, Ambry has agreed to pay $12.25 million into a settlement fund, of which $2.25 million is earmarked for credit monitoring and identity theft protection. In addition to filing claims for reimbursement of up to $10,000 in expenses, members of class actions may file claims for up to 10 hours of documented time and up to three hours of default time — time taken by group members “to seek remedy.” to create or fix problems that are pretty much directly related to the data breach” – for $30 an hour.