November 2024 Newsletter
Push Security
A browser-native identity security platform that hardens your identity attack surface and prevents account takeover.
Hey there! It’s time for the latest edition of our newsletter. So grab a coffee, make sure you’re sitting comfortably, and get ready to digest the latest identity security news.
Threats under the microscope
Cross-IdP impersonation & verification phishing: How attackers can get around locked-down IdP accounts by phishing a single one-time password (OTP)
In last month’s newsletter, we mentioned recent security research where a 15 year old researcher was able to abuse configs in Zendesk to create an Apple IdP account linked to a target org, and subsequently log into their Slack tenant via SSO.
This got us thinking about the bigger picture. After going down the rabbit hole, we ended up adding two new attack techniques to the SaaS attacks matrix.?
Introducing: Cross-IdP impersonation & verification phishing
Cross-IdP impersonation is when you authenticate to an application as a user using a different IdP from the one used ordinarily by the target organization. So for example, where an org typically uses Microsoft Entra, an attacker registers a Google Workspace account, links it to the existing domain/email, and logs into the apps they use via SSO.?
Verification phishing can be used in conjunction with this technique to verify the registration of new IdPs. Typically, this involves social engineering a user to pass on an OTP sent to their email, or having them complete the verification process on your behalf.??
How (and why) does this attack work??
It’s much easier to phish a user for a verification code than it is to phish their Microsoft or Okta credentials — particularly if phishing-resistant authentication factors like passkeys or Okta Fastpass are in use.?
On testing this attack, we were surprised to learn that 3 in 5 apps don’t require that a user re-authenticates when adding a new login method by default. This means that most of the time, after registering a new IdP account, there’s nothing to stop an attacker simply logging into the downstream apps used by the employee that is being impersonated.?
If you want to see this in action, check out the video clip below.
Is SSO really supposed to work like this?!?
It’s pretty wild that this attack exists. You can blame product-led growth — most SaaS applications support a range of different authentication methods to provide flexibility for the wide range of customers they have and generally make it as simple to sign up as possible.??
It is considered best practice to require re-verification when adding a new login method, but it’s not always enforced (or enforced in the same way). Only pinned verification (requiring a login with the original credentials/method) is, in turn, phishing-resistant.?
What can you do about it?
As a SaaS customer, there are a few things you can do.?
And if you find an application that does not support this feature then pressure the vendor with a feature request, the same as you might for a vendor that doesn’t support SSO!
For more information on cross-IdP impersonation & verification phishing and what you can do about it, check out our blog post.?
In the news
Fintech Finastra, used by 45/50 top global banks, compromised via stolen credentials
领英推荐
What happened:
An attacker used compromised credentials to access Finastra's internal Secure File Transfer Platform (SFTP) systems. Attackers have since put 400GB of data up for sale on hacker forums, including client data and internal documents. After gaining attention, the post disappeared, suggesting they may have found a buyer…
Push’s perspective:?
This is a textbook case of the modern credential-based attack: Login to internet-facing service, dump data, profit via ransom or selling the data on to other criminals. Once an attacker compromises an account and the remainder of the attack chain happens within the scope of a single compromised app or service, it’s very hard to stop them. You’ve limited telemetry and controls, and almost no time to do anything about it. This is why we’re so focused on stopping account takeover itself.?
Cyber breach using stolen SaaS credentials exposes health data of 750,000 patients?
What happened:
A data breach at an unnamed French hospital exposed the medical records of 750,000 patients after a threat actor gained access to its electronic patient record system, after a threat actor claimed to have attacked multiple healthcare facilities in France. The attacker claims they breached accounts on third-party patient record service provider MediBoard by using stolen credentials.?
Push’s perspective:?
We’re really seeing a lot of these attacks, aren’t we? And we continue to see attackers target healthcare organizations worldwide, taking advantage of the sensitive (and highly monetizable) data, third-party service use, and apparently weak identity security standards. This year we’ve had confirmed identity-related breaches of HealthEquity, LA County Health Services, and the whopping Change Healthcare breach impacting 100m people.???
What we’ve been up to
Here's a quick roundup of the research and blogs we've published this month:
Push co-founder & CEO Adam Bateman appeared on the R-Snake Show to demonstrate Push. Check it out!
If you’re attending BlackHat Europe or BSides London in December, keep an eye out for the Push booth — come and say hi!
Finally, don’t miss out on our webinar on December 5th, where Luke Jennings will be tearing down AitM phishing kits to see why they keep evading your security controls.?
?? Thanks for sharing your week with us. Please invite your friends to sign up.