Fortress Trust had $15 million stolen from it as a consequence of the Google Authenticator breach, which was disclosed by Retool recently.
Retool has disclosed vital details regarding a recent malware incident that compromised 27 cryptocurrency accounts. In this incident, a staggering $15 million worth of cryptocurrency was stolen from Fortress Trust after an attacker exploited the Google Authenticator cloud sync function to obtain control. The hacker accessed all data contained within Google Authenticator after seizing control of the victim’s Google account.
The Security Breach
Retool, a software development company, disclosed a recent security breach that affected 27 of its cloud customers. The intrusion, which resulted from a targeted SMS-based social engineering attack, has caused significant concern within the cybersecurity community.
San Francisco-based Retool identified an April 2023 Google Account cloud synchronization feature as a “dark pattern” that aggravated the situation. According to Snir Kodesh, director of engineering at Retool, the synchronization of Google Authenticator with the cloud has emerged as a novel and unanticipated attack vector.
This development caught them by surprise, as they had initially implemented multi-factor authentication, which, unbeknownst to administrators, had silently reverted to single-factor authentication as a result of a Google update.
This alarming incident occurred on August 27, 2023. While it did not result in unauthorized access to on-premises or managed accounts, it did occur concurrently with Retool’s log-in migration to Okta, a crucial element of the narrative.
A Closer Examining of Retool Cyber Attack
The cyberattack began with a targeted SMS fraud attack against Retool’s employees. Threat actors cunningly posed as IT team members, instructing recipients to click a seemingly legitimate link to resolve a fictitious payroll-related issue. One unfortunate employee fell victim to this phishing scheme, arriving on a deceptive page that tricked them into divulging their login credentials.
According to a recent statement, the situation deteriorated after the employee activated the cloud sync feature of Google Authenticator. This provided the threat actors with elevated access to Retool’s internal administrative systems, compromising 27 cryptocurrency industry customer accounts.
In a devastating blow, one of these clients, the recently acquired Fortress Trust by Ripple, lost a staggering amount of cryptocurrency, nearly $15 million.
This sophisticated attack demonstrates the vulnerability of syncing one-time codes to the cloud, underscoring the need for FIDO2-compliant hardware security keys to thwart phishing attempts.
Although the hackers’ identities remain unknown, their tactics are strikingly similar to those of Scattered Spider (aka UNC3944), a financially motivated threat actor notorious for its sophisticated phishing campaigns.
In addition, deepfake technology and synthetic media have raised alarms at the U.S. government level, with warnings of their potential exploitation in various malicious activities, such as business email compromise (BEC) assaults and cryptocurrency scams.
This incident serves as a stark reminder of the evolving and ubiquitous nature of cyber threats in the digital landscape of the present day.