Google Account Sync Vulnerability Exploited to Steal $15M


  • A sophisticated hacking group targeted cryptocurrency firms by exploiting a vulnerability in Google Authenticator.
  • The hackers targeted Retool, a software development platform that is used by a number of Fortune 500 companies.
  • The hackers used a combination of phishing, social engineering, and deepfakes to trick employees into giving up their credentials.
  • The messages instructed recipients to access a legitimate-looking link in order to address some payroll and open enrollment issues.
  • The attack resulted in the theft of $15 million worth of customer funds.
  • Google has since updated Google Authenticator to address the vulnerability.

In a recent incident, cryptocurrency custodian Fortress Trust lost $15 million worth of customer funds in a theft that was traced back to a phishing attack on a third-party vendor, Retool.

Retool is a software development platform that is used by a number of Fortune 500 companies, including Amazon, DoorDash, Unity, NBC, Mercedes-Benz, Volvo, Lyft, and Peloton. 

The attackers targeted Retool employees with SMS-based phishing messages that appeared to come from a member of the company’s IT team. The messages instructed recipients to access a legitimate-looking link in order to address some payroll and open enrollment issues. One employee fell for the attack and handed over their credentials and multi-factor authentication (MFA) data.

What set this attack apart was the hackers’ use of deepfake technology to mimic an employee’s voice during a follow-up phone call. This convincing impersonation led to the employee inadvertently providing the attacker with an additional MFA code. Armed with this code, the hacker gained access to the employee’s Okta account, allowing them to add their own device to it.

The critical vulnerability exploited in this incident was related to Google Authenticator, a widely used tool for multi-factor authentication. A recent Google update has introduced a feature that syncs MFA codes to the cloud. If an attacker compromises a user’s Google account, they can obtain all MFA codes, essentially turning what was supposed to be multi-factor authentication into single-factor authentication.

Retool expressed frustration over the lack of a clear option to disable this feature and noted the novel attack vector it had become. While the identity of the hackers remains unclear, the attack shares similarities with previous activities attributed to the financially motivated threat group known as 0ktapus, Scattered Spider, and UNC3944.

Due to the growing threat of deepfakes for social engineering, U.S. agencies CISA, FBI, and NSA have published (PDF) a cybersecurity report highlighting the growing threat of deepfake technology in various malicious activities, including business email compromise attacks and cryptocurrency scams.

In order to mitigate these risks, cryptocurrency companies should implement strong security measures, such as multi-factor authentication and regular security audits. They should also be careful about which third-party vendors they use.





Source link