Retool Claims Google Authenticator Sync Feature Enable Hackers Steal $15 million from Fortress Trust

A recent cyberattack targeted 27 cryptocurrency firms and has been attributed to a newly introduced Google Authenticator synchronization feature. The attack raised significant concerns about the security of cryptocurrency-related businesses and highlighted evolving tactics employed by cybercriminals.

In late August, Retool notified 27 of its cloud clients about unauthorized access to their accounts. The attackers executed account takeover attacks by manipulating user emails and resetting passwords. All affected clients had ties to the cryptocurrency sector, prompting questions about the motives behind the attack.

Retool responded swiftly to the breach, successfully reversing the 27 account takeovers. Unfortunately, one client, Fortress Trust, suffered a significant loss of $15 million in cryptocurrency.

The complexity of the attack began with SMS-based spear-phishing campaigns targeting Retool staff. Deceptive messages, masquerading as communications from the IT team, urged employees to access a seemingly legitimate link to address payroll and healthcare enrollment matters. Tragically, one employee fell victim to the scheme by clicking on a misleading link, leading to a phishing page where they inadvertently disclosed their credentials and multi-factor authentication (MFA) data.

The attackers did not stop there. They followed up with convincing phone calls, utilizing deepfake technology to replicate an employee’s voice. Despite raising suspicions, the employee provided the attacker with an additional MFA code due to the attacker’s intimate knowledge of the office layout, internal procedures, and personnel.

Where Google Authenticator Synchronization Came Into Play

A significant factor that further compromised Retool’s security was a Google Authenticator feature that synchronized MFA codes with the cloud. In this case, a compromised Google account gave the attacker access to all MFA codes. This unexpected vulnerability of Google Authenticator’s cloud syncing effectively transformed what was initially considered a robust multi-factor authentication system into a single-factor one.

While the identity of the attackers remains undisclosed, their tactics closely align with recent attacks attributed to financially motivated threat groups, including 0ktapus, Scattered Spider, and UNC3944. These groups specialize in sophisticated social engineering, SMS-based phishing campaigns, and targeting cryptocurrency firms. They were also responsible for the disruptive attack on MGM Resorts.

Nonetheless, the use of deepfakes for social engineering tactics is gaining prominence, as underscored by cybersecurity agencies like CISA, FBI, and NSA. The agencies have issued warnings about the malicious potential of video, audio, and text deepfakes, including their involvement in business email compromise (BEC) attacks and cryptocurrency-related scams.

In conclusion, this cyberattack on Retool and its cryptocurrency clients highlights the evolving tactics employed by cybercriminals and emphasizes the critical need for enhanced cybersecurity measures, particularly in industries handling sensitive financial data. It serves as a stark reminder of the significance of comprehensive employee training and robust multi-factor authentication systems in countering increasingly sophisticated cyber threats.