Xage releases new tool to battle MFA bombing in critical infrastructure

·3 min read

Earlier this year, the news of multifactor authentication attacks began to surface. MFA is supposed to be a technique to limit attacks. If someone gets hold of a password, an MFA request usually prevents them from getting any further, but this year’s attacks showed that even MFA can be vulnerable under the right circumstances.

Xage (pronounced Zage) is a startup that has been working for several years to build security around critical infrastructure like oil and gas pipelines and water supplies that have proved vulnerable to hackers in recent years.

Today, the company announced a new tool designed to help these kinds of customers to defend against the MFA bombing attacks we have been seeing.

Roman Arutyunov, co-founder and VP of products at Xage says in most instances MFA is highly effective, but these attackers were able to find a vulnerability.

“The way this particular attack works is that it creates multiple MFA requests to a secondary device, basically in the middle of the night, so that an operator will just be so frustrated that they will just hit the approved button and therefore grant access for the attacker into that particular environment or application,” he explained.

Once inside, Arutyunov says the hackers typically launch malware and attempt to make their way deeper into the company’s systems and find some valuable assets to steal. In the case of an electronic grid, water supply or oil and gas pipeline, that could be access to systems that run these critical assets to wreak havoc.

He said that when you are using a single layer of MFA, that can leave a company vulnerable to these types of attacks. In order to battle this, Xage has built a multilayer, multifactor authentication tool. This puts up a series of gates, so that if an attacker makes their way into the first level, they won’t be able to get to the organization's more critical technology.

The product works with the rest of the Xage fabric to help prevent attacks. As CEO Duncan Greatwood told me earlier this year, the fabric is designed to protect these systems more broadly:

“The fabric is a mesh of software nodes that overlays the operation to provide granular control of every digital interaction. It provides zero-trust protection that spans operations, IT and the cloud, underpinning both cybersecurity and digital transformation,” he said.

In conjunction with this fabric, a hacker, who is trying to find a vulnerability as quickly as possible, would be presented with another MFA request to get into the next level of technology. By putting up these additional obstacles, it reduces the likelihood of success, Arutyunov says.

“Now the power of this is that now the probability of a successful compromise is reduced by orders of magnitude. So these MFA bombing attacks are essentially impossible using this multilayer approach,” he said.

The new feature is available to users of the broader Xage fabric starting today. The company claims that it is the first to use this technique to help prevent these types of attacks.