Retool SMS Phishing Attack: How Multi-Factor Authentication Was Bypassed

San Francisco-based software development company Retool has recently disclosed a severe security incident, revealing that 27 cloud-based clients in the crypto industry were compromised. The situation unfolded following a sophisticated SMS phishing attack that exploited a recently introduced Google Account cloud synchronization feature. This breach led to a significant loss of nearly $15 million in cryptocurrency from Fortress Trust.

The phishing attack began with a misleading SMS message directed at Retool employees. Disguised as an IT team member, the attacker urged the recipients to click a payroll-related link. An employee fell for the trap, ultimately providing their login credentials on a sham landing page.

Taking their ploy a step further, the cybercriminals employed deepfake technology to mimic the IT team's voice during a subsequent phone call to the ensnared employee. This call enabled them to secure the multi-factor authentication (MFA) code, effectively giving them the capability to sync their device to the employee's Okta account and generate MFA codes.

The vulnerability was exacerbated by the activation of the Google Authenticator cloud sync feature, granting the attackers escalated access to Retool's internal admin systems. They then seized control of 27 client accounts, altering their associated emails and resetting passwords.

Snir Kodesh, Retool’s Head of Engineering, spoke on the issue, saying, "Our initial security measure was multi-factor authentication. However, Google's update transformed what was essentially dual-factor protection into a single-factor one without administrators noticing."

The incident points to a greater issue affecting both crypto and traditional financial sectors: the vulnerability of interconnected systems. Despite Fortress Trust holding billions in assets for customers, the relatively "small" loss of $15 million was enough to expedite its acquisition by Ripple. The latter made a down payment of the same amount to cover the losses, ensuring all affected customers were compensated within a week.

This attack highlights the urgent need for stronger security measures like FIDO2-compliant hardware security keys to guard against phishing schemes. It also serves as a reminder of the potential dangers associated with cloud-syncing one-time passwords (OTPs).

The methods used in this breach are consistent with the modus operandi of a financially motivated threat actor known as Scattered Spider, or UNC3944, although their involvement remains unconfirmed.

A recent advisory from the U.S. government has also warned against the malicious potential of deepfakes in compromising business communications and cryptocurrency security.

In a landscape often hailed for its promise of decentralization and user-empowered financial sovereignty, incidents like these serve as poignant reminders. They silently question the layers of intermediation we are increasingly seeing, despite a foundational ethos that seeks to minimize such dependencies. As we navigate this complex interplay of technology and trust, let it be a nudge towards introspection on what the core tenets of crypto truly entail—especially when the stakes are as high as they've ever been.

Retool's SMS Phishing Attack Exposes Crypto Clients: $15M Theft Highlights Cloud Sync Vulnerability