Retool falls victim to SMS phishing attack affecting 27 cloud customers
Software development company Retool has revealed that the accounts of 27 of its cloud customers have been compromised following a targeted, SMS-based social engineering attack.
The San Francisco-based company accused a Google Account Cloud Sync Feature recently introduced in April 2023 for making the breach worse, calling it a “dark pattern.”
“The fact that Google Authenticator syncs with the cloud is a new attack vector,” said Snir Kodesh, head of engineering at Retool. said. “What we initially implemented was multi-factor authentication. But thanks to this update from Google, what used to be multi-factor authentication has silently (for admins) become single-factor authentication.”
Retool said the incident, which occurred on August 27, 2023, did not allow unauthorized access to on-premises or managed accounts. This also coincided with the company’s migration to Okta.
It all started with an SMS phishing attack targeting its employees, in which the threat actors posed as a member of the IT team and asked recipients to click on a seemingly legitimate link to resolve a related issue to payroll.
An employee fell for phishing, leading them to a fake landing page that tricked them into providing their credentials. In the next stage of the attack, the hackers called the employee, again pretending to be a member of the IT team, faking their “real voice” to obtain the multi-factor authentication (MFA) code ).
“The additional OTP token shared during the call was critical because it allowed the attacker to add their own personal device to the employee’s Okta account, allowing them to create their own Okta MFA from that that moment,” Kodesh said. “This allowed them to have an active G Suite (now Google Workspace) session on that device.”
The fact that the employee also enabled Google Authenticator’s cloud sync feature allowed malicious actors to gain privileged access to its internal administration systems and effectively take control of accounts belonging to 27 of the company’s customers. crypto industry.
The attackers ultimately changed these users’ email addresses and reset their passwords. Fortress Trust, one of the affected users, had nearly $15 million in cryptocurrency stolen following the hack, CoinDesk reported.
“Because the control of the Okta account led to the control of the Google account, which led to the control of all OTPs stored in Google Authenticator,” Kodesh pointed out.
Rather, the sophisticated attack shows that syncing one-time codes with the cloud can break the “something the user owns” factor, forcing users to rely on hardware security keys or passwords. FIDO2-compliant passwords to defeat phishing attacks.
Although the exact identities of the hackers have not been revealed, their modus operandi bears similarities to that of a financially motivated threat actor known as the Scattered Spider (aka UNC3944), known for its tactics sophisticated phishing attacks.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
“Based on analysis of suspected UNC3944 phishing domains, it is plausible that the threat actors have, in some cases, used access to victims’ environments to obtain information about internal systems and exploited this information to facilitate more tailored phishing campaigns,” Mandiant revealed last week. .
“For example, in some cases, the threat actors appeared to create new phishing domains that included the names of internal systems.”
The use of deepfakes and synthetic media has also been the subject of new review of the US government, which warned that audio, video and text deepfakes can be used for malicious purposes, including business email compromise (BEC) attacks and cryptocurrency scams.
