Martin Hawksey on LinkedIn: How Google Authenticator made one company’s network breach much, much worse (2024)

Martin Hawksey

Google Developer Expert and Google Cloud Champion Innovator in Google Workspace working at CTS

  • Report this post

Interesting post which is a reminder of the extent hackers will go to to gain the 'keys to the castle'. The attack started when an employee clicked a link in a text message appearing to come from the company’s IT team. The attacker was then able to socially engineer access to the employee's Google Authenticator account.The post highlights that: "The most important moral of this story is that FIDO2-compliant forms of MFA are the gold standard for account security. For those sticking with TOTPs, Google Authenticator is intended to provide a happy medium between usability and security. This balance may make the app useful for individuals who want some form of MFA but also don’t want to run the risk of being locked out of accounts in the event they lose a device. For enterprises like Retool, where security is paramount and admins can manage accounts, it’s woefully inadequate."I agree security keys are better than time-based one-time passwords (TOTPs), but there is also a strong argument in this scenario context-aware access through a secure enterprise browser could have limited the amount of access the attacker gained. It's also a reminder that humans are often the weak link and the importance of educating your users. https://lnkd.in/eMq2B5t9

How Google Authenticator made one company’s network breach much, much worse arstechnica.com

8

2 Comments

Like Comment

Colin McCarthy

Experienced Google Workspace, SaaS and IT leader. Ex-WPP

11mo

  • Report this comment

Very interesting story and post...what I don't fully understand is if additional accounts were also compromised with the first account. The Retool article says 'Getting access to this employee’s Google account therefore gave the attacker access to all their MFA codes' but the bad actor would also need to know the passwords for those accounts...unless they were all saved in the Google Profile of the first account compromised..or all had the same password.

Like Reply

1Reaction

To view or add a comment, sign in

More Relevant Posts

  • Slashdot

    8,055 followers

    • Report this post

    How a Breached Microsoft Engineer Account Compromised the Email Accounts of US Officials: An anonymous reader shared this report from Bloomberg:China-linked hackers breached the corporate account of a Microsoft engineer and are suspected of using that access to steal a valuable key that enabled the hack of senior U.S. officials' email accounts, the company said in a blog post. The hackers used the key to forge authentication tokens to access email accounts on Microsoft's cloud servers, including those belonging to Commerce Secretary Gina Raimondo, Representative Don Bacon and State Department officials earlier this year.The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft disclosed the breach in June, but it was still unclear at the time exactly how hackers were able to steal the key that allowed them to access the email accounts. Microsoft said the key had been improperly stored within a "crash dump," which is data stored after a computer or application unexpectedly crashes...The incident has brought fresh scrutiny to Microsoft's cybersecurity practices.Microsoft's blog post says they corrected two conditions which allowed this to occur. First, "a race condition allowed the key to be present in the crash dump," and second, "the key material's presence in the crash dump was not detected by our systems."We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer's corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.Read more of this story at Slashdot.

    How a Breached Microsoft Engineer Account Compromised the Email Accounts of US Officials it.slashdot.org
    Like Comment

    To view or add a comment, sign in

    • Report this post

    How a Breached Microsoft Engineer Account Compromised the Email Accounts of US Officials: An anonymous reader shared this report from Bloomberg:China-linked hackers breached the corporate account of a Microsoft engineer and are suspected of using that access to steal a valuable key that enabled the hack of senior U.S. officials' email accounts, the company said in a blog post. The hackers used the key to forge authentication tokens to access email accounts on Microsoft's cloud servers, including those belonging to Commerce Secretary Gina Raimondo, Representative Don Bacon and State Department officials earlier this year.The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft disclosed the breach in June, but it was still unclear at the time exactly how hackers were able to steal the key that allowed them to access the email accounts. Microsoft said the key had been improperly stored within a "crash dump," which is data stored after a computer or application unexpectedly crashes...The incident has brought fresh scrutiny to Microsoft's cybersecurity practices.Microsoft's blog post says they corrected two conditions which allowed this to occur. First, "a race condition allowed the key to be present in the crash dump," and second, "the key material's presence in the crash dump was not detected by our systems."We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer's corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.Read more of this story at Slashdot.

    How a Breached Microsoft Engineer Account Compromised the Email Accounts of US Officials it.slashdot.org
    Like Comment

    To view or add a comment, sign in

  • Slashdot Media

    17,767 followers

    • Report this post

    How a Breached Microsoft Engineer Account Compromised the Email Accounts of US Officials: An anonymous reader shared this report from Bloomberg:China-linked hackers breached the corporate account of a Microsoft engineer and are suspected of using that access to steal a valuable key that enabled the hack of senior U.S. officials' email accounts, the company said in a blog post. The hackers used the key to forge authentication tokens to access email accounts on Microsoft's cloud servers, including those belonging to Commerce Secretary Gina Raimondo, Representative Don Bacon and State Department officials earlier this year.The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft disclosed the breach in June, but it was still unclear at the time exactly how hackers were able to steal the key that allowed them to access the email accounts. Microsoft said the key had been improperly stored within a "crash dump," which is data stored after a computer or application unexpectedly crashes...The incident has brought fresh scrutiny to Microsoft's cybersecurity practices.Microsoft's blog post says they corrected two conditions which allowed this to occur. First, "a race condition allowed the key to be present in the crash dump," and second, "the key material's presence in the crash dump was not detected by our systems."We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer's corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don't have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.Read more of this story at Slashdot.

    How a Breached Microsoft Engineer Account Compromised the Email Accounts of US Officials it.slashdot.org
    Like Comment

    To view or add a comment, sign in

  • Shay Colson, CISSP

    Cybersecurity for Growth-Stage Companies and Investors

    • Report this post

    Yet another reminder that configuration details matter tremendously, particularly when it comes to security features and functionality. In this case, MFA became single factor based on a "sync feature" and had disastrous consequences:"Retool is blaming the success of the hack on a new feature in Google Authenticator that allows users to synchronize their 2FA codes with their Google account.This has been a long-requested feature, as you can now use your Google Authenticator 2FA codes on multiple devices, as long as they are all logged into the same account.""However, Retool says that the feature is also to blame for the August breach severity as it allowed the hacker who successfully phished an employee's Google account access to all their 2FA codes used for internal services."With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems," Kodeshsaid."Gulp.

    Retool blames breach on Google Authenticator MFA cloud sync feature bleepingcomputer.com

    2

    1 Comment

    Like Comment

    To view or add a comment, sign in

  • Clinton Jones

    "Features seldom used or undiscovered are just unclaimed technical debt" - Product Management Professional, Product Manager , Imagineer and visionary

    • Report this post

    Passkeys Are Cool, but They Aren't Enterprise-Ready apparently...Done right they could eliminate phishing attacks aimed at harvesting credentials, because there are no passwords to steal.A major sticking point is lost device key recovery.Apple, Google, and Microsoft fix this by tying keys to their services. A user who logs back into one of the services can then recover by being issued a new set of keys.New device attestation becomes the enterprise hurdle.https://buff.ly/3M18JQd

    Passkeys Are Cool, but They Aren't Enterprise-Ready darkreading.com

    1

    Like Comment

    To view or add a comment, sign in

  • Starlight Intelligence

    431 followers

    • Report this post

    Hackers stole Microsoft signing key from Windows crash dumpMicrosoft says Storm-0558 Chinese hackers stole a signing key used to breach government email accounts from a Windows crash dump after compromising a Microsoft engineer's corporate account.The attackers used the stolen MSA key to breach the Exchange Online and Azure Active Directory (AD) accounts of roughly two dozen organizations, including government agencies in the United States, such as the U.S. State and Commerce Departments.They exploited a now-patched zero-day validation issue in the GetAccessTokenForResourceAPI, which enabled them to forge signed access tokens and impersonate accounts within the targeted orgs.While Microsoft said when it disclosed the incident in July that only Exchange Online and Outlook were impacted, Wiz security researcher Shir Tamari later said that the compromised Microsoft consumer signing key provided Storm-0558 widespread access to Microsoft cloud services.As Tamari said, the key could be used to impersonate any account within any impacted customer or cloud-based Microsoft application.Redmond later told BleepingComputer that the compromised key could only be used to target apps that accepted personal accounts and had the validation error exploited by the Chinese hackers.In response to the security breach, Microsoft revoked all valid MSA signing keys to prevent threat actors from accessing other compromised keys. This step also effectively blocked any additional efforts to generate new access tokens. Additionally, Microsoft relocated the recently generated access tokens to the key store used by its enterprise systems.After revoking the stolen signing key, Microsoft found no additional evidence of unauthorized access to customer accounts employing the same auth token forging technique.Pressured by CISA, Microsoft also agreed to expand access to cloud logging data for free to help network defenders detect similar breach attempts in the future.Before this, such logging capabilities were only available to customers with Purview Audit (Premium) logging licenses. As a result, Redmond faced substantial criticism for impeding organizations from promptly detecting Storm-0558's attacks.#CyberSecurityhttps://lnkd.in/gXHQNXuN

    Hackers stole Microsoft signing key from Windows crash dump bleepingcomputer.com
    Like Comment

    To view or add a comment, sign in

  • Nikolai Belstein

    Chief Information Security Officer @ Boubyan Bank | 20+ years in cybersecurity

    • Report this post

    Transparency is key in cybersecurity," as Martin Clausen rightly said. It's essential for service providers to be transparent, especially when dealing with sensitive information. Microsoft being a major service provider, needs to ensure full transparency in their operations. Everybody knows that transparency is important and crucial in ensuring a secure cyberspace. #Cybersecurity #Microsoft

    9

    Like Comment

    To view or add a comment, sign in

  • AdminDroid

    2,966 followers

    • Report this post

    𝐂𝐨𝐧𝐝𝐢𝐭𝐢𝐨𝐧𝐚𝐥 𝐀𝐜𝐜𝐞𝐬𝐬 𝐄𝐱𝐩𝐚𝐧𝐝𝐬: 𝐍𝐞𝐰 𝐂𝐚𝐩𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐭𝐨 𝐂𝐨𝐧𝐭𝐫𝐨𝐥 𝐀𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐅𝐥𝐨𝐰𝐬Authentication flows are widely recognized for streamlining the complex login process and making it easier for end users to access any apps! 🚀 Microsoft uses various authentication flows for accessing the M365 apps. However, not all authentication flows are equal in terms of security! ⚠️ Some of them come with certain loopholes. Thus, attackers can do 𝐛𝐫𝐮𝐭𝐞 𝐟𝐨𝐫𝐜𝐞 𝐚𝐭𝐭𝐚𝐜𝐤𝐬 𝐨𝐫 𝐫𝐞𝐦𝐨𝐭𝐞 𝐩𝐡𝐢𝐬𝐡𝐢𝐧𝐠 𝐭𝐨 𝐢𝐧𝐭𝐞𝐫𝐫𝐮𝐩𝐭 𝐭𝐡𝐞 𝐬𝐞𝐬𝐬𝐢𝐨𝐧 and gain access. ➡️To address these security concerns, Microsoft has now included the capability to block specific authentication flows using Conditional Access policies. Currently, the following flows are included in the preview due to their high-risk nature. ✅𝐃𝐞𝐯𝐢𝐜𝐞 𝐜𝐨𝐝𝐞 𝐟𝐥𝐨𝐰 - It is used to authenticate an app using a secondary device. ✅𝐀𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐭𝐫𝐚𝐧𝐬𝐟𝐞𝐫 𝐟𝐥𝐨𝐰 - It transfers the authenticated state from one device to another. Discover why they are considered high-risk and learn how to effectively block authentication flows using Conditional Access policies.https://lnkd.in/gGH6Bwfx#Microsoft365 #AdminDroid #ConditionalAccesss #AuthenticationFlows #DeviceCode #AuthenticationTransfer #SysAdmin #EntraID #MicrosoftEntraID #office365administration #RemotePhishing #PrimaryRefreshTokens

    Control Authentication Flows Using Conditional Access Policy https://blog.admindroid.com

    4

    Like Comment

    To view or add a comment, sign in

  • Martin Clausen

    Global Head of Cyber Security

    • Report this post

    In 2023, a hacker group with spying goals launched a cyberattack that aimed at Microsoft Exchange Online mailboxes. A new report from the US Cybersecurity and Resilience Board (CSRB) said that cyberattack was preventable. Not sure where this leaves Microsoft’s assurance reports nor customers abilities to assess the risk of specific cloud services more accurately.The conclusions are not exactly pretty:1. The cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed.2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed.3. The assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not.4. Microsoft’s failure to detect a compromise of an employee's laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021.5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the CSRB in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the CSRB’s repeated questioning about Microsoft’s plans to issue a correction.6. The CSRB’s observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the review, which revealed a compromise that allowed a different nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems.7. How Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency.

    77

    5 Comments

    Like Comment

    To view or add a comment, sign in

  • Jake AdminDroid

    IT Operation Manager at AdminDroid

    • Report this post

    𝐂𝐨𝐧𝐝𝐢𝐭𝐢𝐨𝐧𝐚𝐥 𝐀𝐜𝐜𝐞𝐬𝐬 𝐄𝐱𝐩𝐚𝐧𝐝𝐬: 𝐍𝐞𝐰 𝐂𝐚𝐩𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐭𝐨 𝐂𝐨𝐧𝐭𝐫𝐨𝐥 𝐀𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐅𝐥𝐨𝐰𝐬Authentication flows are widely recognized for streamlining the complex login process and making it easier for end users to access any apps! 🚀 Microsoft uses various authentication flows for accessing the M365 apps. However, not all authentication flows are equal in terms of security! ⚠️ Some of them come with certain loopholes. Thus, attackers can do 𝐛𝐫𝐮𝐭𝐞 𝐟𝐨𝐫𝐜𝐞 𝐚𝐭𝐭𝐚𝐜𝐤𝐬 𝐨𝐫 𝐫𝐞𝐦𝐨𝐭𝐞 𝐩𝐡𝐢𝐬𝐡𝐢𝐧𝐠 𝐭𝐨 𝐢𝐧𝐭𝐞𝐫𝐫𝐮𝐩𝐭 𝐭𝐡𝐞 𝐬𝐞𝐬𝐬𝐢𝐨𝐧 and gain access. ➡️To address these security concerns, Microsoft has now included the capability to block specific authentication flows using Conditional Access policies. Currently, the following flows are included in the preview due to their high-risk nature. ✅𝐃𝐞𝐯𝐢𝐜𝐞 𝐜𝐨𝐝𝐞 𝐟𝐥𝐨𝐰 - It is used to authenticate an app using a secondary device. ✅𝐀𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐭𝐫𝐚𝐧𝐬𝐟𝐞𝐫 𝐟𝐥𝐨𝐰 - It transfers the authenticated state from one device to another. Discover why they are considered high-risk and learn how to effectively block authentication flows using Conditional Access policies.https://lnkd.in/ggwe4yHW#Microsoft365 #AdminDroid #ConditionalAccesss #AuthenticationFlows #DeviceCode #AuthenticationTransfer #SysAdmin #EntraID #MicrosoftEntraID #office365administration #RemotePhishing #PrimaryRefreshTokens

    Control Authentication Flows Using Conditional Access Policy https://blog.admindroid.com

    10

    Like Comment

    To view or add a comment, sign in

Martin Hawksey on LinkedIn: How Google Authenticator made one company’s network breach much, much worse (35)

Martin Hawksey on LinkedIn: How Google Authenticator made one company’s network breach much, much worse (36)

2,911 followers

  • 3000+ Posts

View Profile

Follow

Explore topics

  • Sales
  • Marketing
  • IT Services
  • Business Administration
  • HR Management
  • Engineering
  • Soft Skills
  • See All
Martin Hawksey on LinkedIn: How Google Authenticator made one company’s network breach much, much worse (2024)
Top Articles
Christchurch, New Zealand to Santa Maria, CA, USA
BST to HST Converter - Savvy Time
English Bulldog Puppies For Sale Under 1000 In Florida
Katie Pavlich Bikini Photos
Gamevault Agent
Pieology Nutrition Calculator Mobile
Toyota Campers For Sale Craigslist
Unlocking the Enigmatic Tonicamille: A Journey from Small Town to Social Media Stardom
Ncaaf Reference
Globe Position Fault Litter Robot
Crusader Kings 3 Workshop
Robert Malone é o inventor da vacina mRNA e está certo sobre vacinação de crianças #boato
Guilford County | NCpedia
Maplestar Kemono
Dr Manish Patel Mooresville Nc
Apus.edu Login
Urban Dictionary: hungolomghononoloughongous
Jayah And Kimora Phone Number
10 Fun Things to Do in Elk Grove, CA | Explore Elk Grove
Wgu Academy Phone Number
Wsop Hunters Club
Menards Eau Claire Weekly Ad
Robeson County Mugshots 2022
Poe Str Stacking
Pasco Telestaff
Coomeet Premium Mod Apk For Pc
Home
Hdmovie2 Sbs
Kentuky Fried Chicken Near Me
Breckiehill Shower Cucumber
Chicago Based Pizza Chain Familiarly
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Vera Bradley Factory Outlet Sunbury Products
Pixel Combat Unblocked
Movies - EPIC Theatres
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Mia Malkova Bio, Net Worth, Age & More - Magzica
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Where Can I Cash A Huntington National Bank Check
Topos De Bolos Engraçados
Sand Castle Parents Guide
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hello – Cornerstone Chapel
Stoughton Commuter Rail Schedule
Selly Medaline
Latest Posts
Article information

Author: Terrell Hackett

Last Updated:

Views: 5594

Rating: 4.1 / 5 (72 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Terrell Hackett

Birthday: 1992-03-17

Address: Suite 453 459 Gibson Squares, East Adriane, AK 71925-5692

Phone: +21811810803470

Job: Chief Representative

Hobby: Board games, Rock climbing, Ghost hunting, Origami, Kabaddi, Mushroom hunting, Gaming

Introduction: My name is Terrell Hackett, I am a gleaming, brainy, courageous, helpful, healthy, cooperative, graceful person who loves writing and wants to share my knowledge and understanding with you.