Deepfake and smishing. How hackers compromised the accounts of 27 Retool customers in the crypto industry

Software development company Retool was the victim of a smishing attack that resulted in the compromise of 27 accounts of its cloud customers.

Software development company Retool revealed that 27 accounts of its cloud customers were compromised as a result of an SMS-based social engineering attack.

The company states that one of its employees was compromised on August 27, 2023, via a spear phishing attack. Once the employee’s account was compromised, the threat actors were able to navigate through multiple layers of security controls.

Retool believes that the attackers abused the Google Account cloud synchronization feature to breach the organization.

Several employees received targeted SMS messages posing as a member of IT who was reaching out to them due to an account issue that would prevent open enrollment which affects the employee’s healthcare coverage. The company noticed that the timing of the attack coincided with a recently announced migration of logins to Okta. The SMS includes a URL crafted to appear as the company’s internal identity portal.

Then the attackers called up the employee posing as a member of the IT team. The attackers deepfaked the actual voice of one of the IT staffers and tricked the employee into providing the multi-factor authentication (MFA) code.

“The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite session on that device. Google recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud. As Hacker News noted, this is highly insecure, since if your Google account is compromised, so now are your MFA codes.” reads a statement published by Retool.

The company reported that the fact that the victim employee also activated the Google Authenticator’s cloud sync feature allowed the attackers to access all its MFA codes. Once obtained these codes (and the Okta session), the attacker gained access to the company VPN and its internal admin systems. Then the intruders were able to takeover the accounts of a specific set of customers, all in the crypto industry. The attackers changed emails for users and reset passwords.

“We have an internal Retool instance used to provide customer support; this is how the account takeovers were executed. The authentication for this instance happens through a VPN, SSO, and a final MFA system. A valid GSuite session alone would have been insufficient.” continues the company. “The fact that Google Authenticator syncs to the cloud is a novel attack vector. What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator. We strongly believe that Google should either eliminate their dark patterns in Google Authenticator (which encourages the saving of MFA codes in the cloud), or at least provide organizations with the ability to disable it. We have already passed this feedback on to Google.”

Social engineering attacks target the human component of any organization and the use of generative AI and deepfakes is bringing the level of sophistication of such attacks to a higher level.

Specific training programs against social engineering attacks and the adoption of an efficient Information Security Management System (ISMS) can allow organizations to be more resilient against such kinds of attacks.

Recently the US CISA released the Cybersecurity Information Sheet (CSI), Contextualizing Deepfake Threats to Organizations, which provides an overview of synthetic media threats, techniques, and trends.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Retool)