Software development company Retool has disclosed that the accounts of 27 of its cloud customers were compromised following a targeted and SMS-based social engineering attack.
The San Francisco-based firm blamed a Google Account cloud synchronization feature recently introduced in April 2023 for making the breach worse, calling it a “dark pattern.”
“The fact that Google Authenticator syncs to the cloud is a novel attack vector,” Snir Kodesh, Retool’s head of engineering, said. “What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication.”
Retool said that the incident, which took place on August 27, 2023, did not allow unauthorized access to on-prem or managed accounts. It also coincided with the company migrating their logins to Okta.
It all started with an SMS phishing attack aimed at its employees, in which the threat actors masqueraded as a member of the IT team and instructed the recipients to click on a seemingly legitimate link to address a payroll-related issue.
One employee fell for the phishing trap, which led them to a bogus landing page that tricked them into handing over their credentials. In the next stage of the attack, the hackers called up the employee, again posing as the IT team person by deepfaking their “actual voice” to obtain the multi-factor authentication (MFA) code.
“The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward,” Kodesh said. “This enabled them to have an active G Suite [now Google Workspace] session on that device.”
The fact that the employee also had activated Google Authenticator’s cloud sync feature allowed the threat actors to gain elevated access to its internal admin systems and effectively take over the accounts belonging to 27 customers in the crypto industry.
The attackers ultimately changed the emails for those users and reset their passwords. Fortress Trust, one of the impacted users, saw close to $15 million worth of cryptocurrency stolen as a result of the hack, CoinDesk reported.
“Because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator,” Kodesh pointed out.
If anything, the sophisticated attack shows that syncing one-time codes to the cloud can break the “something the user has” factor, necessitating that users rely on FIDO2-compliant hardware security keys or passkeys to defeat phishing attacks.
While the exact identity of the hackers was not disclosed, the modus operandi exhibits similarities to that of a financially motivated threat actor tracked as Scattered Spider (aka UNC3944), which is known for its sophisticated phishing tactics.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.
“Based on analysis of suspected UNC3944 phishing domains, it is plausible that the threat actors have, in some cases, used access to victim environments to obtain information about internal systems and leveraged that information to facilitate more tailored phishing campaigns,” Mandiant disclosed last week.
“For example, in some cases the threat actors appeared to create new phishing domains that included the names of internal systems.”
The use of deepfakes and synthetic media has also been the subject of a new advisory from the U.S. government, which warned that audio, video, and text deepfakes can be used for a wide range of malicious purposes, including business email compromise (BEC) attacks and cryptocurrency scams.