Developer platform Retool disclosed it suffered a breach last month that involved vishing attack on an employee and affected 27 cloud customers.
In a blog post Wednesday, Retool revealed it was targeted in a spear phishing attack on August 27. A threat actor impersonating an IT staff member conducted SMS-based phishing and a successful vishing attack to obtain authentication logins that led to the total account takeover of one Retool employee. Retool notified all 27 affected cloud customers on August 29 and confirmed that no on-premises accounts were affected.
The attack started with targeted texts sent to several employees using an account issue and healthcare coverage as a lure. The messages contained a URL that mimicked Retool’s own internal identity portal and tricked one employee into logging into the malicious link that contained a multi-factor authentication (MFA) form.
The attack escalated with one phone call and a significant amount of knowledge on the target organization.
“The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company,” Snir Kodesh, head of engineering at Retool, wrote in the blog post. “Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication code.”
Retool uses Okta’s authentication platform and the additional MFA code was a one-time password token that let the attacker compromise an Okta account. After adding their own personal device to the employee’s Okta account, the attacker produced their own MFA code. That enabled further unauthorized access, including an active Google Workspace session on the device.
Next, the attacker used Google account access to obtain all the employee’s MFA codes and eventually infiltrated Retool’s VPN and internal administrator systems. Adversary activity included changing emails for users and resetting passwords as well as viewing Retool applications.
Although the attacker successfully phished an employee and compromised an Okta account, Retool blamed the extent of the breach on Google Authenticator syncing MFA codes to the cloud. The synchronization feature was implemented in April in response to customer concerns over lost or stolen devices with Google Authenticator installed. While the feature was cheered by some, others cited potential security problems following its release, such as a lack of encryption for the synchronized data.
“Getting access to this employee’s Google account therefore gave the attacker access to all their MFA codes. With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems. This allowed them to run an account takeover attack on specific set of customers (all in the crypto industry),” Kodesh wrote.
A Google spokesperson provided the following statement to TechTarget Editorial:
“Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies. Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant. Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies. While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”
In a report on Wednesday, cryptocurrency news outlet CoinDesk connected a recent attack against cryptocurrency firm Fortress Trust to the Retool breach. Last week, Fortress Trust disclosed that four “customers were impacted by a third-party vendor whose cloud tools were compromised.” The CoinDesk report said the unnamed vendor was Retool.
Retool did not respond to requests for comment at press time.
In response to the attack, Retool revoked all internal authenticated sessions for employees and locked down access to the 27 affected accounts that have since been restored. Kodesh said the cloud provider is working with law enforcement and emphasized that only Retool’s cloud environment was affected, which is separated from the company’s zero-trust on-premises network.
“The vast majority of our customers in more sensitive industries (e.g. crypto, healthcare, finance, etc.) use our on-premise solution, and we encourage our customers to consider it, if security is important,” he said.
Social engineering attacks have become a growing threat in recent years. For example, Cyber insurer Coalition attributed phishing as the root cause for 76% of all claims reported in the second half of 2022.
Phishing and vishing campaigns have led to several high-profile breaches of late. Earlier this month, Okta disclosed four customers were compromised in a social engineering attack where attackers also impersonated IT. By convincing customers to reset MFA factors, the threat actor gained access to four highly privileged accounts.
Arielle Waldman is a Boston-based reporter covering enterprise security news.