Retool attributes the breach to the Google Authenticator MFA's cloud synchronization feature.
Software company Retool reports that 27 customers' cloud accounts were breached during an aggressive and multi-pronged social engineering attack.
Retool's development platform is used to create business software by companies ranging from startups to large Fortune 500 companies, including Amazon, Mercedes-Benz, DoorDash, NBC, Stripe and Lyft.
Snir Kodesh, Retool's chief engineering officer, revealed that all of the compromised accounts belong to customers in the cryptocurrency industry.
The breach occurred on August 27, after attackers bypassed multiple security mechanisms using SMS phishing and social engineering to compromise the IT employee's Okta account.
The attack used a URL that impersonated Retool's internal identity portal and was executed during a previously announced transfer of login links to Octa.
Although most of the targeted employees ignored the fraud ID, one of them clicked on the embedded link that redirected to a fake login portal with a multi-factor authentication (MFA) form.
After entering, the attacker created a deepfake of an employee's voice and invited the target IT team member, tricking him into providing an additional MFA code, which allowed the attacker to add a device controlled by the attacker to the target employee's Okta account.
See also: BlackCat ransomware: encrypts Azure Storage with Sphynx
The attack is attributed to the new Google Authenticator synchronization feature
Retool blames the success of the hack on a new feature of Google Authenticator that allows users to sync their 2FA passwords with their Google account.
This was a feature that users have been asking for for a long time, as they can now use their Google Authenticator 2FA passwords across multiple devices, as long as they are all connected to the same account.
However, Retool says that this feature also bears responsibility for the severity of the August security breach, as it allowed the hacker who successfully phished an employee's Google account to access all 2FA codes used for internal services.
As Kodesh explained, initially, Retool had enabled MFA, but the passwords synced from Google Authenticator to the cloud led to an inadvertent switch to single-factor authentication.
This change occurred as the Okta account audit was translated into a Google account audit, providing access to all OTP (One-Time Passwords) stored in Google Authenticator.
Although Google Authenticator promotes the cloud sync feature, it is not mandatory. If you have the feature enabled, you can turn it off by clicking on the account circle in the top right corner of the app and selecting 'Use Authenticator without an account.' This will disconnect you from the app and delete the synced 2FA passwords from your Google account.
Google also recommends switching to FIDO-based technology from traditional multi-factor one-time password (OTP) authentication as a simple way to prevent similar attacks.
"The risks of phishing and social engineering with old-style authentication technologies, such as those based on OTP, is why the industry is investing heavily in these technologies based on FIDO," said the Google spokesperson.
See also: TikTok: Deepfake video of Elon Musk promoting fake crypto giveaways
There have been no breaches of Retool customers using the on-premise service
After discovering the security incident, Retool suspended all employees' internal authenticated sessions, including those for Okta and G Suite.
It also restricted access to all 27 compromised accounts and notified all affected cloud customers, restoring all compromised accounts to their original settings (according to Retool, no on-premise customers were affected in the incident).
A Coindesk report linked the Retool leak to the theft of $15 million from the Fortress Trust in early September.
Retool's development platform is used by companies ranging from startups to large Fortune 500 companies, including Amazon, Mercedes-Benz, DoorDash, NBC, Stripe and Lyft.
Hackers are increasingly using social engineering attacks on IT specialists or support staff to gain initial access to the corporate networks.
The list of companies that have been attacked using this tactic includes Cisco, Uber, 2K Games and, most recently, MGM Resorts.
Towards the end of August, Okta notified customers of network breaches that occurred through the IT companies' services following the reset of multi-factor authentication (MFA) for Super Administrator or Org Administrator accounts.
The US Federal Agencies also warned this week about cyber threat actors using deepfakes. They recommend using technology that can help identify deepfakes used to access their networks, communications and sensitive information after successful social engineering attacks.
Source of information: bleepingcomputer.com
