Hello and welcome to the Tuesday, August 19, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Graduate Certificate Program in
Incident Response. In Diaries today we have Rob talk about
MFA bombing or authentication fatigue. What this is all
about is if an attacker has access to a username and
password for your account, they're now having to overcome
multi-factor authentication. Now in simple cases like your
standard one-time password, they may just try to guess it,
which of course should be hard to impossible if that's
reasonably well done. Or recently many organizations
have introduced the application-based multi-factor
authentication where you do get a pop-up that allows you
to approve a login. Now that has quickly turned out to be
very susceptible to this kind of authentication fatigue and
MFA bombing where users, if they were confronted with a
large number of these pop-ups, well, would just approve it.
So these days most of the better implementations like
Microsoft and such usually asks you not just to approve
the login, but also to echo back a two-digit code that's
being displayed on the website. Either way, by trying
to send you enough of these attempts, and then again with
Microsoft, if you're not using the professional version, but
just the home user version, it's really just three
options. So they may again hope that the user will just
pick an option and click OK and let the attacker in. What
Rob is talking here a little bit about is of the aftermath
of an attack like this. How do you actually figure out what
happened in more detail? Microsoft has a web page that
you can use to actually retrieve more details about
your authentication history. It's mysignins.microsoft.com.
It lists all of the logins in your history with the IP
address based location. So that gives you a little bit
more insight as to what may have happened in an attack
like this. You also had a user comment about how to
investigate this in Microsoft. There is actually a little
reporting function that you can use in order to then
export all the login attempts in a nice JSON format, which
may work pretty well for sort of an occasional report
enterprise-wide, figuring out if any users were targeted by
an attack like this. And in vulnerabilities today, we do
have a critical vulnerability in the Cisco Secure Firewall
Management Center software. This particular vulnerability
allows for an arbitrary code injection into Radius. So
apparently there's some parameter being sent to Radius
without being properly sanitized, which then leads to
the OS command injection. In order to be vulnerable, you
must have Radius enabled, at least for web authentication
or SSH authentication or both, of course. Definitely address
this with patching. I would assume that we probably will
see an exploit for this relatively soon. If it hasn't
already been released, the CVSS score for this particular
vulnerability is a clear 10 out of 10. And F5 released a
number of updates last week. And I think that this one
particular vulnerability got a little bit overlooked here.
And I think this serves some attention. It's a
vulnerability in F5 access for Android. Basically, their VPN
product and well, it does not properly validate the TLS
certificate with that NetHacker is able to establish
a machine in the middle attack. This kind of
vulnerability, of course, has to be targeted to a vulnerable
device. And F5 sort of mentions a little bit as a
mitigation that well, if your device is not vulnerable, it
will flag the connection as bad as it should. But still, I
think this is a vulnerability that you probably should
address quickly by updating these Android devices running
this version of F5 access. Well, and that is it for
today. Thanks, everybody, for liking, for recommending, and
also for leaving good reviews for this podcast. And talk to
you again tomorrow. Bye. Bye.
