According to Coincu, software company Retool has disclosed details of a cyberattack that compromised 27 crypto customer accounts, resulting in millions of dollars in losses. The breach, which occurred on August 27, 2023, exposed a critical vulnerability associated with Google Authenticator.
The attack exploited the Google Authenticator cloud sync function, effectively transforming multi-factor authentication into a single-factor system. The attacker gained control of an Okta account and subsequently seized control of the associated Google account, which held all one-time passwords (OTPs) stored in Google Authenticator. This synchronization feature, previously considered secure, turned out to be a novel attack vector.
The incident began with an SMS phishing attack aimed at Retool employees, where threat actors posed as members of the IT team. Employees were forced to click on a seemingly legitimate link to address a payroll-related issue. An additional security flaw emerged when an employee enabled Google Authenticator's cloud sync feature, granting threat actors elevated access to internal admin systems. The attackers subsequently changed email addresses and reset passwords for 27 customers in the crypto industry, resulting in substantial losses, notably the theft of $15 million worth of cryptocurrency from Fortress Trust, as reported by CoinDesk.
While the exact identity of the hackers remains undisclosed, their tactics resemble those of a financially motivated threat actor known as Scattered Spider, recognized for employing sophisticated phishing techniques. Retool assures that the breach did not grant unauthorized access to on-premises or managed accounts and coincided with the company's migration of logins to Okta.