In an alarming cyber-attack incident, a spear phishing attack on software provider, Retool, has put cryptocurrency assets worth $15 million in jeopardy. The attacker manipulated user emails and passwords on Retool, affecting 27 accounts, although Retool’s on-premise customers were not impacted by this breach.
Unraveling the Deceptive Spear Phishing Attack
On August 27, Retool, a renowned software platform, was targeted by a well-orchestrated spear phishing attack. This attack resulted in unauthorized access for some of Retool’s cloud customers. The attacker cleverly executed an SMS-based phishing attack, posing as a member of the IT team to Retool’s employees.
The attacker used a deceptive pretext, claiming to resolve an issue related to payroll systems and open enrollment, thereby exploiting a critical concern for employees – healthcare coverage. The timing of the attack was well-planned, coinciding with the migration of logins to Okta, and the message contained a URL imitating Retool’s internal identity portal.
The Phishing Attack: A Closer Look
Although most employees did not interact with the fraudulent text, one unfortunate employee clicked on the link, leading to a bogus portal with multi-factor authentication (MFA) prompts. The attacker then initiated a phone call with the employee, using a deepfake voice to impersonate a Retool IT team member. The employee, despite growing suspicion, shared an additional MFA code, which allowed the attacker to add their device to the employee’s Okta account.
This provided the attacker access to an active GSuite session. Interestingly, Google had recently introduced a feature that syncs MFA codes to the cloud, which could compromise security. The attacker took advantage of this vulnerability, facilitated by Google’s dark patterns that promoted MFA code syncing.
The Aftermath of the Attack
The breach’s implications extended to Retool’s internal systems, including VPN and admin systems, enabling an account takeover attack on specific customers, mainly from the crypto industry. In total, the attacker altered user emails and reset passwords, affecting 27 accounts.
Upon discovering the breach, Retool acted swiftly. It revoked all internal authenticated sessions, secured affected accounts, notified impacted customers, and restored their accounts to their original states. Notably, Retool’s on-premise customers remained unaffected, as the on-premises system operates independently of Retool’s cloud environment.
Retool confirmed that it was actively collaborating with law enforcement and a third-party forensics firm to investigate the breach. This incident serves as a reminder of the importance of constant vigilance and robust security measures in the digital world, especially for those involved in the cryptocurrency sector. To keep track of your crypto investments and stay updated on the latest cybersecurity threats, consider using applications like cryptoview.io.
Start now using our tools for free.
