In case you haven’t heard, recently a major password manager was hacked. LastPass, one of the largest providers of password management software, announced a breach of their systems on Aug. 25.
And, with over 25 million active users, it’s major news.
Should you really put your trust in them?
Well, upon closer examination, these carefully orchestrated attacks target external weaknesses, and these tools still deliver important protection against many attacks.
Let’s take a look at a few of these confidence-wavering attacks, what went wrong, and whether you should still use their services.
Okta MFA MITM Attack
Let’s start with the ‘Okatapus’ phishing campaign, as known by researchers.
Here, attackers targeted clients of Okta, one of the world’s largest identity confirmation and access management companies in the world.
Here, attackers purchased copycat URLs similar to Okta’s real pages. Attackers then went on to target outsourced customer support employees on contract with major companies. Many fell victim.
So far, reports cite over 130 organizations and 9,931 accounts compromised by the campaign.
Attackers can easily impersonate victimized company URLs. However, it takes considerable skill to accurately reproduce Okta authentication pages. These attackers pulled it off, tricking thousands of victims.
These fake web pages harvested Okta credentials from users, as well as the Okta one-time password sent via SMS. Using this method, the attackers gained access to even more communications companies: Twilio, MailChimp, and Klaviyo.
The attackers then accessed the compromised company’s customer’s systems and information – including Authy two-factor authentication (2FA) accounts. The attacker used these additional credentials to steal further information, like DoorDash customer and employee data.
However, despite the headlines, the breach didn’t compromise Okta. Their systems performed as intended. Rather, similar-looking, yet fraudulent pages were used to gather information.
If you’re still wondering how it could happen, imagine typing ‘micorsoft.com’ into your browser. You don’t notice the typo, and land on a page that looks like the Microsoft page you wanted.
At that point, you might not have any hesitation to try to sign in to an account, make a purchase, or hand over other data. But, in reality, you’d only be providing your credentials to potential scammers.
This attack demonstrates the weaknesses of relying upon SMS texts and other one-time passwords for authentication. SMS texts permit Man-in-the-Middle (MitM) attacks, which allow an attacker to intercept and relay authentication information.
Other MFA Bypass Attacks
Man-in-the-middle attacks use more than just spoofed websites to steal credentials.
The Revive banking malware created a 2FA Android application to duplicate the 2FA features of a Spanish bank, BBVA.
Here’s how it worked.
First, the attackers phished customers, claiming the bank’s 2FA embedded within the bank app no longer meets security standards, and that a new app is required. Then, if customers don’t check with the bank first, they download the Android app and begin using it.
Once downloaded, the attackers gain access to nearly everything they’d need to pursue further attacks.
You see, instead of operating purely as a MitM, this app also acts as an active keylogger, siphoning off other information as well as the banking MFA. Thinking it’s a legitimate app, users could find themselves typing in user names, passwords, account numbers, or any variety of sensitive information.
This app’s narrow focus on the BBVA bank helps it avoid detection and exist longer than similar, but more widespread attacks.
Not all MFA bypass attacks use the MitM attack to steal credentials. That’s because thankfully, Microsoft and other websites began implementing MitM countermeasures.
In a form of social engineering attack, the WebView2-Cookie Stealer uses the Microsoft Edge WebView2 application’s browser-in-browser capabilities.
Here, instead of fake websites, attackers display the legitimate website within a compromised web browser or application. Then, after the victim obtains their credentials from the legitimate source, the attackers log the keystrokes and steal the authentication cookies. They also and copy them to a remote server after the MFA already has been performed.
If the cookies aren’t restricted to a specific device or timed out after a specific session, the attacker can use them to initiate a new session on their own device quite easily. However, just like most phishing attacks, victims must still be tricked into running an executable file.
Password Manager Hacked: LastPass Data Breach
For most people, the challenge of managing passwords leads to our recommendation to use a password manager, such as LastPass. However, after a data breach of the LastPass source code, is a reevaluation required?
First off, we still recommend you use a password manager. Given the struggles of safely maintaining dozens of accounts on a daily basis, they’re still the most secure option available.
In this instance, LastPass promptly revealed the scope and nature of the data breach in a straightforward and simple manner. This helps consumers and experts understand that the breach is limited to source code and proprietary settings that can be changed or otherwise do not affect the product.
While LastPass will mitigate the impact of the breach, most importantly, the attacker didn’t gain access to user data. And, even if the attackers did access user data, LastPass stores all passwords as a single encrypted package that only is decrypted once a user downloads it to their local machine (in an application or browser) and inputs the master password.
So, even though it’s unnerving to see headlines declaring a breach of your password manager, in truth, these passwords remain safe and secure – just as they were designed to be.
Use MFA and Password Managers
Whether your organization is large or small, you should still use MFA and password managers to improve security & simplify proper password techniques. That said, these tools shouldn’t be used blindly, and not all tools deliver the same level of quality.
Simple contact us at 412-349-6680, or fill out the form below, and our experts will provide a no-obligation consultation and discuss options to verify, improve, or implement improved authentication security.