Crypto worth $15 mln at risk amidst phishing attack on software provider

• The attacker altered user emails and reset passwords on Retool, affecting 27 accounts.
• However, Retool’s on-premise customers remained unaffected by the attack.

Retool, a prominent software platform, fell victim to a spear phishing attack on 27 August, putting cryptocurrency worth $15 million at risk. While it led to unauthorized access for some cloud customers, Retool promptly took action to address the breach.

The attacker exploited an SMS-based phishing attack, targeting Retool employees. By sending fraudulent texts, the attacker posed as a member of the IT team, claiming to address an issue related to payroll systems and open enrollment, thus leveraging a critical point of concern for employees: healthcare coverage.

The timing coincided with the migration of logins to Okta, and the message contained a URL that mimicked Retool’s internal identity portal.

Unmasking deceptive tactics in the attack

While most employees refrained from engaging with the text, one unfortunate employee clicked on the link, leading to a fake portal, complete with multi-factor authentication (MFA) prompts.

Subsequently, the attacker initiated a phone call with the employee, using a deepfake voice that resembled a Retool IT team member. During the conversation, the employee grew increasingly suspicious, but still shared an additional MFA code.

This additional code allowed the attacker to add their device to the employee’s Okta account. Adding the device granted them access to an active GSuite session.

Notably, Google had recently introduced a feature that syncs MFA codes to the cloud, potentially compromising security. The attacker capitalized on this vulnerability, enabled by Google’s dark patterns that encouraged MFA code syncing.

The breach’s impact extended to Retool’s internal systems, including VPN and admin systems, enabling an account takeover attack on specific customers, primarily from the crypto industry.

The attacker altered user emails and reset passwords, affecting 27 accounts in total.

Upon discovering the breach, Retool took swift action. It revoked all internal authenticated sessions, securing affected accounts, notifying impacted customers, and restoring their accounts to their original states.

Remarkably, Retool’s on-premise customers remained unaffected, as the on-premises system operates independently of Retool’s cloud environment.

The company confirmed that it was actively collaborating with law enforcement and a third-party forensics firm to investigate the breach.