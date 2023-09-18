The software development company Retool has made known that the accounts of 27 of its cloud customers were compromised following a targeted attack based on social engineering and SMS.

San Francisco-based company Retool placed the blame on a Google Account cloud sync feature recently introduced in April 2023, calling it a “dark pattern.”

What is known about this attack on Retool customers

“The fact that Google Authenticator synchronize with the cloud is a new attack vector“, has said Snir Kodesh, chief engineer at Retool and added “We initially implemented multi-factor authentication. But with this update from Google, what was initially multi-factor authentication had quietly become (for administrators) single-factor authentication“.

Retool stated that the accident, occurred on August 27, 2023, did not allow unauthorized access to on-premises or managed accounts; It also coincided with the migration of their connections to Okta.

It all started with an SMS phishing attack targeting employees, where bad actors [i cybercriminali]they disguised themselves as members of the IT team and instructed recipients to click on a seemingly legitimate link to address an accounting-related issue.

An employee fell into a phishing trap, which led him to a fake landing page that tricked him into handing over his credentials. In the next stage of the attack, the hackers called the employee, still pretending to be the person from the IT team, using deepfake technology to “mimic their real voice” in order to obtain the multi-factor authentication (MFA) code. .

“The additional OTP key shared during the call was crucial, because it allowed the attacker to add their personal device to the employee’s Okta account, allowing them to generate their own Okta MFA from then on“Kodesh said, concluding “This allowed them to have an active G Suite session [ora Google Workspace] on that device“.

The fact that the employee had activated Google Authenticator’s cloud sync feature allowed the cybercriminals to gain high access to internal systems and effectively take control of accounts belonging to 27 cryptocurrency customers.

The attackers eventually changed those users’ emails and reset their passwords. Fortress Trust, one of the affected users, saw around $15 million in cryptocurrency stolen following the attack, he said. reported CoinDesk.

“As the Okta account takeover led to the Google account takeover, which led to the takeover of all OTPs stored in Google Authenticator“, Kodesh emphasized.

If anything, this sophisticated attack demonstrates that syncing one-time codes to the cloud can compromise the “something the user owns” factor, making it necessary for users to rely on FIDO2-compliant hardware security keys or passkeys to thwart attacks of phishing.

Although the exact identity of the hackers has not been disclosed, the modus operandi bears similarities to that of a [altro] malicious a financial purpose known as Scattered Spider (aka UNC3944), known for its sophisticated phishing tactics.

“Based on UNC3944’s analysis of suspected phishing domains, it is plausible that criminals have, in some cases, used access to victims’ environments to gain information about internal systems and leveraged that information to facilitate more targeted phishing campaigns“Mandiant said last week, adding “For example, in some cases, threat actors appeared to create new phishing domains that included the names of internal systems“.

The use of deepfakes and synthetic media was also the subject of a new warning from the government of the United States, which warned that deepfake audio, video and text can be used for a wide range of malicious purposes, including business email compromise (BEC) attacks and cryptocurrency scams.

Don’t fall victim to deceptive text messages

SMS can also have deceptive links that connect to the internet to steal data (phishing): don’t click.

It may seem trivial yet many people continue to fall into this trap.

The Retool case is nothing new in the IT world, often even well before the internet became popular, deceptive SMS messages made you call (paid) numbers and then made you spend credit for (apparently) unsolicited services.