Image of a criminal sitting on a chair, holding a fishing rod connected to a mobile phone, symbolising SMS phishing.

Retool Breach Linked To Google Authenticator Vulnerability

Retool recently announced a data breach that affected 27 accounts. Cybercriminals stole $15 million in cryptocurrencies from Fortress Trust by taking advantage of Google Authenticator’s cloud synchronisation.

Retool is a San Francisco-based business with clients on the Fortune 500. People with an understanding of the issue claim that it oversaw the development of the site that enables a small number of Fortress clients to access their financial information. This feature, which was released in April 2023, was seen as a “dark pattern” for escalating the breach.

A Google Authenticator vulnerability that allowed the programme to keep sensitive user data in the cloud was recently brought to light by Retool.

According to Snir Kodesh, Retool’s head of engineering:

The fact that Google Authenticator syncs to the cloud is a novel attack vector. What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently become single-factor-authentication.

The vulnerability incident directly affected Retool, resulting in a data breach and the exposure of potentially sensitive client information. This information was included in a report on the data breach.

Retool revealed on August 27th that company had been the target of a spear phishing scam. During this event, a person acting as an IT employee successfully executed a vishing attack and SMS-based phishing.

These actions enabled the attacker to get authentication logins, which resulted in the entire control of one Retool employee’s account. On August 29th, Retool swiftly alerted all 27 impacted cloud clients and assured them that on-premises accounts were unaffected.

Uncovering Vulnerability Exploitation Using Google Authenticator

The attacker first used SMS phishing, posing as an IT team member dealing with a “payroll concern”. An employee fell for this trick and unintentionally sent their login information by clicking on a misleading link.

The situation was made worse when the attacker mimicked the voice of an IT team member using deepfake technology, tricking the worker into disclosing an additional OTP token.

This token was key because it allowed the hacker to connect a new device to the employee’s Okta account, giving them active access to the business’ Google Workspace session.

The attacker gained access to internal administration systems and took control of 27 client accounts by turning on the cloud synchronisation function of Google Authenticator. The significant bitcoin theft from Fortress Trust was eventually made possible by this series of events.

The hacker entered Retool’s systems, changed user information, and got access to apps by using his Google account access to get the employee’s MFA codes. Retool allocated the severity of the breach to Google Authenticator’s cloud-synchronised MFA codes, which were launched in April to address concerns about device loss. However, because synchronised data is not encrypted, this function has created security issues.

This incident highlights a difficulty that the crypto industry, given its development, is currently confronting. The traditional financial system is not excluded from this issue. There are plenty of open vulnerabilities, and systemic flaws often lead to issues arising.

Although the attackers’ identities are still unknown, there are significant resembles between the incident and earlier attacks linked to financially motivated threat groups including 0ktapus, Scattered Spider, and UNC3944.

These criminal groups are well-known for their sophisticated use of SMS-based phishing messages and social engineering techniques, with a particular focus on targeting bitcoin companies. Additionally, a recent, highly disruptive attack on MGM Resorts is thought to have been executed by the same criminal group.

Phishing was the primary cause of 77% of claims recorded in the second half of 2022, making social engineering attacks a serious threat. High-profile breaches, such as Okta’s recent incident, in which attackers impersonated IT and persuaded customers to reset MFA factors, show the success rate of these techniques in compromising privileged accounts.

Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks. 

Although technology can be helpful, it cannot spot 100% of phishing emails. Therefore, user education is important to minimising the impact of any successful attacks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against such attacks.

Recent posts