Redirecting you to
Click if you are not redirected within 5 seconds
Search
USD
English
Contact Us
Free Trial
Podcast Sep 29, 2023

Root Causes 335: When MFA Is Not MFA

In this episode we describe a social engineering attack to steal a one-time password (OTP) to enable unauthorized access. This incident further exploited a cloud backup feature to extend the scope of the breach. We explain.

  • Original Broadcast Date: September 29, 2023

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    We picked a topic where you are very much more expert than I am and hopefully, you will do most of the talking.

  • Jason Soroko

    No problem. I can kick this off. We saw a really good blog post, Retool, name of the company; person who wrote the blog, Snir Kodesh. Blog post from the 13th of September, 2023. The blog post is “When MFA Isn’t Actually MFA”.

  • Tim Callan

    How about that? That’s a provocative title.

  • Jason Soroko

    Provocative title and, of course, this is the kind of thing that captures our attention and there’s a few things in here, Tim, that really, we cover on this podcast. This is definitely thanks to Retool for getting this blog out for informing us about their experience. I’d like to frame it less about their experience and less about the vendors and more about, hey, watch out for this as an enterprise. Because you don’t want this to happen to you. And that’s why I really thanked them for writing this blog post because if you look at this carefully, it really is a warning about the usage of multi-factor authentication. You know, commercially available, off-the-shelf multi-factor authentication. So here it is.

  • Tim Callan

    What happened?

  • Jason Soroko

    Tim, you can just imagine that if you give away your OTP codes, at the very least you are gonna have a bad situation where the thing you are trying, the bad guy is trying to authenticate into, if they have your username and password and then all they are waiting for is your OTP and you somehow give them your OTP – you’re socially engineered somehow – -

  • Tim Callan

    Then it’s done.

  • Jason Soroko

    Then it’s done. The bad guy is logged in and then they can do whatever the rest of their attack is.

  • Tim Callan

    That’s the other factor.

  • Jason Soroko

    That’s the other factor. This in fact happened. In fact, the way that this was described is that there was social engineering attack against a number of privileged users at Retool, administrator types is what it seems to be but, more importantly, one out of the I don’t how many – I think they specify but not important – all that matters is that one of them did give up their OTP and let me tell you what happened in this attack, Tim. The way that the social engineering was done, they actually used a deep fake voice of a colleague.

  • Tim Callan

    Ok. So, it ties back to that whole threat we talk about all the time, too.

  • Jason Soroko

    Artificial intelligence, deep fake voices, now we are starting to see that deep fake of colleagues within your enterprise is being used to, hey, in this case, to convince you, hey, can you give me your OTP code. Right? And you know, Tim, I hate to say it but I think if you were to call me and say, Jay, give me your OTP, I’m gonna have to say no.

  • Tim Callan

    Absolutely. But I also can see if I were having a problem and I got on with let’s say, the Help Desk and I was talking to what I thought was someone I knew who worked for the Help Desk and this person said to me, alright, now I need your OTP code, I might just give it to them thinking that’s the process.

  • Jason Soroko

    Sure. Bad idea. So, let me tell you how bad of an idea this was.

    In this case – and I’m gonna try and simplify it here, right. Basically, a lot of enterprises will use Google’s G-Suite. It’s not surprising. It’s very, very common for enterprises to be able to use that and so geez, if you are an attacker, what a great thing to try to get access to. So, the bad guy was trying to get access into G-Suite of one of these administrators and was able to because the person was socially engineered and the attacker was able to log in to G-Suite of this administrator, or the enterprise, because of the fact that they received this OTP via social engineering. However, however, you might think, well, what is that attacker going to be able to get access to? Well, obviously, documents and files that are saved in G-Suite and email and other things but it was far worse than that because of this reason. Retool figured, well look, MFA is MFA. You are not gonna be able to log into our other internal systems.

    The problem with that assumption was this. April 24, 2023 Google announced that cloud backup of basically your OTP seeds is possible. So, in other words, all of your OTP accounts that you have one time passwords against will be saved into the cloud.

    Now, super handy feature – super handy feature for legitimate purposes because then you can go from device to device and you can have a single instance of Google Authenticator running and you can actually say, hey, look, I don’t want to have to go off and reseed this mobile device. I want to be able to just get it from the cloud.

  • Tim Callan

    Go to the next device and it just it knows it’s me and it just treated it – ok. Sure.

  • Jason Soroko

    Super handy thing. Super handy. Here’s where it’s also handy. It’s handy for the bad guy because if your G-Suite account has been compromised you as the bad guy can now get those OTP seeds restored onto your attacker device.

  • Tim Callan

    And now you are just authenticated.

  • Jason Soroko

    Well, the thing is, for the systems that have been backed up it could have been their HR system. It could have been their finance system. It could have been an internal development system. I mean there’s any number of things you might use Google Authenticator as a MFA for and you get your OTP, you log in, everybody is happy. The problem is now the bad guy had all of that administrator’s OTP seed files restored onto the attacker’s mobile device. So, therefore, the attacker didn’t even need to then continue with other social engineering attacks for other OTPs - they could just log in.

  • Tim Callan

    Right. Of course. And then if they already have stolen the username and password access now they have everything they need.

  • Jason Soroko

    It’s just bad. It’s really bad.

  • Tim Callan

    So, does that mean that piece of functionality really is fundamentally insecure and needs to go away?

  • Jason Soroko

    Well, I can tell you that, you like the convenience of having that cloud backup then go ahead and leave the default of backup to cloud. The problem is I think for enterprises you really need to do a risk assessment and think about - -

  • Tim Callan

    Yeah.

  • Jason Soroko

    If you are using G-Suite specifically to store very important - - you know, if that’s the fundamental basis of how you do email in your business and you store a lot of files for your business and you are also using Google Authenticator extensively then I think as an enterprise you might want to limit the cloud backup of those OTP seeds.

  • Tim Callan

    So, Google is not taking action here. They are not going to change the way their system works. This is about a knowledge and configuration exercise for the enterprise. Is that correct?

  • Jason Soroko

    I think so, Tim. And I think as well Google will point to other technologies such as using a FIDO key. We’ve talked about those. We won’t get into detail but it’s not like Google doesn’t have other authentication or MFA options. They are out there and I think that those are the kinds of things that, if I was working for Google I would point to those things and go, hey, if you are an enterprise, use this and I think that is a correct answer. So, no, I don’t think Google is gonna go - - I mean I can’t speak for them.

  • Tim Callan

    Sure.

  • Jason Soroko

    They may go off and change what the default is. Maybe they will. Maybe they won’t. Whatever. What I am saying is be aware of this. If you are an enterprise using G-Suite, be aware of this issue and be aware that there are other stronger forms of authentication compared to MFA. Something you and I have said dozens of times on this podcast.

  • Tim Callan

    Sure. Exactly. It also has three letters. So that other form of authentication that you are referring to. Starts with a P. PKI. Alright, Jason. Wow. That’s a hell of a story.

  • Jason Soroko

    It is isn’t it? And, I just wanted to have a nice tight and concise explanation of what happened here and warn anybody who is using those kinds of really handy cloud services. You know, be aware. And thanks to Retool for expressing the real obvious headache and terrible situation that they went through for the rest of us to learn from.

  • Tim Callan

    Absolutely. So, that’s a good lesson.

Root Causes - A PKI & Security Podcast

About Root Causes

Tim Callan and Jason Soroko explore the issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic and evolving computing world.

View All