Free Trial
Contact Us
Podcast

Root Causes 335: When MFA Is Not MFA

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
September 29, 2023

In this episode we describe a social engineering attack to steal a one-time password (OTP) to enable unauthorized access. This incident further exploited a cloud backup feature to extend the scope of the breach. We explain.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanWe picked a topic where you are very much more expert than I am and hopefully, you will do most of the talking.
Jason SorokoJason SorokoNo problem. I can kick this off. We saw a really good blog post, Retool, name of the company; person who wrote the blog, Snir Kodesh. Blog post from the 13th of September, 2023. The blog post is “When MFA Isn’t Actually MFA”.
Tim CallanTim CallanHow about that? That’s a provocative title.
Jason SorokoJason SorokoProvocative title and, of course, this is the kind of thing that captures our attention and there’s a few things in here, Tim, that really, we cover on this podcast. This is definitely thanks to Retool for getting this blog out for informing us about their experience. I’d like to frame it less about their experience and less about the vendors and more about, hey, watch out for this as an enterprise. Because you don’t want this to happen to you. And that’s why I really thanked them for writing this blog post because if you look at this carefully, it really is a warning about the usage of multi-factor authentication. You know, commercially available, off-the-shelf multi-factor authentication. So here it is.
Tim CallanTim CallanWhat happened?
Jason SorokoJason SorokoTim, you can just imagine that if you give away your OTP codes, at the very least you are gonna have a bad situation where the thing you are trying, the bad guy is trying to authenticate into, if they have your username and password and then all they are waiting for is your OTP and you somehow give them your OTP – you’re socially engineered somehow – -
Tim CallanTim CallanThen it’s done.
Jason SorokoJason SorokoThen it’s done. The bad guy is logged in and then they can do whatever the rest of their attack is.
Tim CallanTim CallanThat’s the other factor.
Jason SorokoJason SorokoThat’s the other factor. This in fact happened. In fact, the way that this was described is that there was social engineering attack against a number of privileged users at Retool, administrator types is what it seems to be but, more importantly, one out of the I don’t how many – I think they specify but not important – all that matters is that one of them did give up their OTP and let me tell you what happened in this attack, Tim. The way that the social engineering was done, they actually used a deep fake voice of a colleague.
Tim CallanTim CallanOk. So, it ties back to that whole threat we talk about all the time, too.
Jason SorokoJason SorokoArtificial intelligence, deep fake voices, now we are starting to see that deep fake of colleagues within your enterprise is being used to, hey, in this case, to convince you, hey, can you give me your OTP code. Right? And you know, Tim, I hate to say it but I think if you were to call me and say, Jay, give me your OTP, I’m gonna have to say no.
Tim CallanTim CallanAbsolutely. But I also can see if I were having a problem and I got on with let’s say, the Help Desk and I was talking to what I thought was someone I knew who worked for the Help Desk and this person said to me, alright, now I need your OTP code, I might just give it to them thinking that’s the process.
Jason SorokoJason SorokoSure. Bad idea. So, let me tell you how bad of an idea this was.

In this case – and I’m gonna try and simplify it here, right. Basically, a lot of enterprises will use Google’s G-Suite. It’s not surprising. It’s very, very common for enterprises to be able to use that and so geez, if you are an attacker, what a great thing to try to get access to. So, the bad guy was trying to get access into G-Suite of one of these administrators and was able to because the person was socially engineered and the attacker was able to log in to G-Suite of this administrator, or the enterprise, because of the fact that they received this OTP via social engineering. However, however, you might think, well, what is that attacker going to be able to get access to? Well, obviously, documents and files that are saved in G-Suite and email and other things but it was far worse than that because of this reason. Retool figured, well look, MFA is MFA. You are not gonna be able to log into our other internal systems.

The problem with that assumption was this. April 24, 2023 Google announced that cloud backup of basically your OTP seeds is possible. So, in other words, all of your OTP accounts that you have one time passwords against will be saved into the cloud.

Now, super handy feature – super handy feature for legitimate purposes because then you can go from device to device and you can have a single instance of Google Authenticator running and you can actually say, hey, look, I don’t want to have to go off and reseed this mobile device. I want to be able to just get it from the cloud.
Tim CallanTim CallanGo to the next device and it just it knows it’s me and it just treated it – ok. Sure.
Jason SorokoJason SorokoSuper handy thing. Super handy. Here’s where it’s also handy. It’s handy for the bad guy because if your G-Suite account has been compromised you as the bad guy can now get those OTP seeds restored onto your attacker device.
Tim CallanTim CallanAnd now you are just authenticated.
Jason SorokoJason SorokoWell, the thing is, for the systems that have been backed up it could have been their HR system. It could have been their finance system. It could have been an internal development system. I mean there’s any number of things you might use Google Authenticator as a MFA for and you get your OTP, you log in, everybody is happy. The problem is now the bad guy had all of that administrator’s OTP seed files restored onto the attacker’s mobile device. So, therefore, the attacker didn’t even need to then continue with other social engineering attacks for other OTPs - they could just log in.
Tim CallanTim CallanRight. Of course. And then if they already have stolen the username and password access now they have everything they need.
Jason SorokoJason SorokoIt’s just bad. It’s really bad.
Tim CallanTim CallanSo, does that mean that piece of functionality really is fundamentally insecure and needs to go away?
Jason SorokoJason SorokoWell, I can tell you that, you like the convenience of having that cloud backup then go ahead and leave the default of backup to cloud. The problem is I think for enterprises you really need to do a risk assessment and think about - -
Tim CallanTim CallanYeah.
Jason SorokoJason SorokoIf you are using G-Suite specifically to store very important - - you know, if that’s the fundamental basis of how you do email in your business and you store a lot of files for your business and you are also using Google Authenticator extensively then I think as an enterprise you might want to limit the cloud backup of those OTP seeds.
Tim CallanTim CallanSo, Google is not taking action here. They are not going to change the way their system works. This is about a knowledge and configuration exercise for the enterprise. Is that correct?
Jason SorokoJason SorokoI think so, Tim. And I think as well Google will point to other technologies such as using a FIDO key. We’ve talked about those. We won’t get into detail but it’s not like Google doesn’t have other authentication or MFA options. They are out there and I think that those are the kinds of things that, if I was working for Google I would point to those things and go, hey, if you are an enterprise, use this and I think that is a correct answer. So, no, I don’t think Google is gonna go - - I mean I can’t speak for them.
Tim CallanTim CallanSure.
Jason SorokoJason SorokoThey may go off and change what the default is. Maybe they will. Maybe they won’t. Whatever. What I am saying is be aware of this. If you are an enterprise using G-Suite, be aware of this issue and be aware that there are other stronger forms of authentication compared to MFA. Something you and I have said dozens of times on this podcast.
Tim CallanTim CallanSure. Exactly. It also has three letters. So that other form of authentication that you are referring to. Starts with a P. PKI. Alright, Jason. Wow. That’s a hell of a story.
Jason SorokoJason SorokoIt is isn’t it? And, I just wanted to have a nice tight and concise explanation of what happened here and warn anybody who is using those kinds of really handy cloud services. You know, be aware. And thanks to Retool for expressing the real obvious headache and terrible situation that they went through for the rest of us to learn from.
Tim CallanTim CallanAbsolutely. So, that’s a good lesson.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud