Hacker attack on Retool: stolen cryptocurrencies and deepfakes

A San Francisco software development company called Retool has blamed a recent Google account syncing feature for a sophisticated hacker attack. Hackers compromised Retool's systems and targeted over two dozen customers, all from the cryptocurrency industry. Following the attack, the company found that 27 of its cloud customers had experienced unauthorized access to their accounts, but that internally managed accounts had not been affected. Retool responded quickly to thwart the attacks and restore the 27 account breaches, however at least one customer, Fortress Trust, suffered a loss of cryptocurrency worth $15 million.

Hackers' operating methods and use of deepfake

The sophisticated attack began with SMS-based spear phishing messages sent to Retool employees. The messages appeared to come from a member of the company's IT team and invited recipients to follow a link that appeared legitimate, presenting issues related to pay and healthcare enrollment. Only one employee fell for the deception and followed the link, which led him to a phishing page. Here you provided your login details and multi-factor authentication (MFA). Next, the hackers spoofed an employee's voice on a phone call, managing to convince the employee to give them an additional MFA code. The attackers were credible because they knew the layout of the office facilities, internal processes and other employees.

The attack takes advantage of Google Authenticator's synchronization functionality

Retool uses one-time passwords (OTP) to authenticate to Google, Okta, an internal VPN, and internal Retool instances. The hackers managed to gain access to the MFA (Multi-Factor Authentication) tokens in the targeted employee's account and, consequently, to other internal systems. This was made possible by a recent Google Authenticator feature that syncs MFA codes to the cloud. In the case of the Retool employee, this feature was active, allowing hackers to obtain all of the targeted user's MFA codes in case their Google account was compromised.

The Implications for corporate security and the use of deepfake

The Retool attack raises concerns about corporate security and the use of deepfakes as a social engineering tactic. US government agencies (CISA, FBI and NSA) recently published a report on the cybersecurity of deepfakes, highlighting how manipulated video, audio and text can be used for malicious purposes, including business email compromise attacks and related scams. to cryptocurrencies. It is important that companies review their multi-factor authentication practices and take additional security measures to protect their accounts and sensitive data.