Retool blames breach on Google Authenticator MFA cloud sync feature


Software company Retool says the accounts of 27 cloud customers were compromised following a targeted and multi-stage social engineering attack.

Retool’s development platform is used to build business software by companies ranging from startups to Fortune 500 enterprises, including Amazon, Mercedes-Benz, DoorDash, NBC, Stripe, and Lyft.

Snir Kodesh, Retool’s head of engineering, revealed that all hijacked accounts belong to customers in the cryptocurrency industry.

The breach occurred on August 27, after the attackers bypassed multiple security controls using SMS phishing and social engineering to compromise an IT employee’s Okta account.

The attack used a URL impersonating Retool’s internal identity portal and was launched during a previously announced migration of logins to Okta.

While most of the targeted employees ignored the phishing text message, one clicked the embedded phishing link that redirected to a fake login portal with a multi-factor authentication (MFA) form.

After signing in, the attacker deepfaked an employee’s voice and called the targeted IT team member, tricking them into providing an additional MFA code, which allowed the addition of an attacker-controlled device to the targeted employee’s Okta account.

Hack blamed on new Google Authenticator sync feature

Retool is blaming the success of the hack on a new feature in Google Authenticator that allows users to synchronize their 2FA codes with their Google account.

This has been a long-requested feature, as you can now use your Google Authenticator 2FA codes on multiple devices, as long as they are all logged into the same account.

However, Retool says that the feature is also to blame for the August breach severity as it allowed the hacker who successfully phished an employee’s Google account to have access to all of their 2FA codes used for internal services.

“With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems,” Kodesh said.

“This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry). (They changed emails for users and reset passwords.) After taking over their accounts, the attacker poked around some of the Retool apps.”

As Kodesh explained, while, initially, Retool had enabled MFA, the auth codes synced by Google Authenticator to the cloud led to an inadvertent transition to single-factor authentication.

This shift occurred as control over the Okta account translated into control over the Google account, subsequently granting access to all One-Time Passwords (OTPs) stored within Google Authenticator.

“We strongly believe that Google should either eliminate their dark patterns in Google Authenticator (which encourages the saving of MFA codes in the cloud), or at least provide organizations with the ability to disable it.”

While Google Authenticator does promote its cloud sync feature, it is not required. If you have enabled the feature, you can disable it by clicking on the account circle at the top right of the app and selecting ‘Use Authenticator without an account.’ This will log you out of the app and delete your synchronized 2FA codes in your Google account.

No on-premise Retool customers breached

After discovering the security incident, Retool revoked all internal employee authenticated sessions, including those for Okta and G Suite.

It also restricted access to all 27 compromised accounts and notified all affected cloud customers, restoring all hijacked accounts to their original configurations (no on-premise customers were impacted in the incident, according to Retool).

“This meant that although an attacker had access to Retool cloud, there was nothing they could do to affect on-premise customers,” Kodesh said.

“It’s worth noting that the vast majority of our crypto and larger customers in particular use Retool on-premise.”

A Coindesk report linked the Retool breach to the theft of $15 million from Fortress Trust in early September.

Fortress Trust breach disclosure

Retool’s development platform is used to build business software by companies ranging from startups to Fortune 500 enterprises, including the likes of Amazon, Mercedes-Benz, DoorDash, NBC, Stripe, and Lyft.

Social engineering attacks targeting IT service desks or support personnel are increasingly being used by threat actors to gain initial access to corporate networks.

The list of companies that got hacked using this tactic includes Cisco, Uber, 2K Games, and, more recently, MGM Resorts.

In late August, Okta alerted customers of networks being breached via companies’ IT service desks after hackers reset Multi-Factor Authentication (MFA) defenses for Super Administrator or Org Administrator accounts.

U.S. Federal Agencies also warned this week of the cybersecurity risks behind attackers using deepfakes. They recommended using tech that can help detect deepfakes used to gain access to their networks, communications, and sensitive information following successful social engineering attacks.





Source link