Hacking

Deepfake and smishing. How hackers compromised the accounts of 27 Retool customers in the crypto industry

Software development company Retool was the victim of a smishing attack that resulted in the compromise of 27 accounts of its cloud customers.

Software development company Retool revealed that 27 accounts of its cloud customers were compromised as a result of an SMS-based social engineering attack.

The company states that one of its employees was compromised on August 27, 2023, via a spear phishing attack. Once the employee’s account was compromised, the threat actors were able to navigate through multiple layers of security controls.

Retool believes that the attackers abused the Google Account cloud synchronization feature to breach the organization.

Several employees received targeted SMS messages posing as a member of IT who was reaching out to them due to an account issue that would prevent open enrollment which affects the employee’s healthcare coverage. The company noticed that the timing of the attack coincided with a recently announced migration of logins to Okta. The SMS includes a URL crafted to appear as the company’s internal identity portal.

Then the attackers called up the employee posing as a member of the IT team. The attackers deepfaked the actual voice of one of the IT staffers and tricked the employee into providing the multi-factor authentication (MFA) code.

“The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite session on that device. Google recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud. As Hacker News noted, this is highly insecure, since if your Google account is compromised, so now are your MFA codes.” reads a statement published by Retool.

The company reported that the fact that the victim employee also activated the Google Authenticator’s cloud sync feature allowed the attackers to access all its MFA codes. Once obtained these codes (and the Okta session), the attacker gained access to the company VPN and its internal admin systems. Then the intruders were able to takeover the accounts of a specific set of customers, all in the crypto industry. The attackers changed emails for users and reset passwords.

We have an internal Retool instance used to provide customer support; this is how the account takeovers were executed. The authentication for this instance happens through a VPN, SSO, and a final MFA system. A valid GSuite session alone would have been insufficient.” continues the company. “The fact that Google Authenticator syncs to the cloud is a novel attack vector. What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator. We strongly believe that Google should either eliminate their dark patterns in Google Authenticator (which encourages the saving of MFA codes in the cloud), or at least provide organizations with the ability to disable it. We have already passed this feedback on to Google.”

Social engineering attacks target the human component of any organization and the use of generative AI and deepfakes is bringing the level of sophistication of such attacks to a higher level.

Specific training programs against social engineering attacks and the adoption of an efficient Information Security Management System (ISMS) can allow organizations to be more resilient against such kinds of attacks.

Recently the US CISA released the Cybersecurity Information Sheet (CSI), Contextualizing Deepfake Threats to Organizations, which provides an overview of synthetic media threats, techniques, and trends.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Retool)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

More than 2,000 Palo Alto Networks firewalls hacked exploiting recently patched zero-days

Threat actors already hacked thousands of Palo Alto Networks firewalls exploiting recently patched zero-day vulnerabilities.…

42 minutes ago

Ransomhub ransomware gang claims the hack of Mexican government Legal Affairs Office

Mexico is investigating a ransomware attack targeting its legal affairs office, as confirmed by the…

10 hours ago

US DoJ charges five alleged members of the Scattered Spider cybercrime gang

The U.S. Justice Department charged five suspects linked to the Scattered Spider cybercrime gang with…

17 hours ago

Threat actor sells data of over 750,000 patients from a French hospital

A threat actor had access to electronic patient record system of an unnamed French hospital,…

21 hours ago

Decade-old local privilege escalation bugs impacts Ubuntu needrestart package<gwmw style="display:none;"></gwmw>

Decade-old flaws in the needrestart package in Ubuntu Server could allow local attackers to gain…

23 hours ago

Ford data breach involved a third-party supplier

Ford investigates a data breach linked to a third-party supplier and pointed out that its…

1 day ago

This website uses cookies.