A recently introduced Google account sync feature has been blamed by software development firm Retool after sophisticated hackers gained access to its systems and targeted over two dozen of its customers from the cryptocurrency sector.
Retool is a San Francisco, California-based company that provides a development platform designed for building custom business tools without the need for advanced programming skills. Its customers include major companies such as Amazon, DoorDash, Unity, NBC, Mercedes-Benz, Volvo, Lyft and Peloton.
The company revealed this week that 27 of its cloud customers were notified in late August that there had been unauthorized access to their accounts. Retool said on-prem and managed accounts were not impacted.
Hackers launched account takeover attacks against these customers, changing user emails and resetting passwords. All of the victims were from the cryptocurrency industry.
Retool said the attack was quickly detected and the company rushed to take action to revert the 27 account takeovers.
However, CoinDesk reported that at least one customer, Fortress Trust, had $15 million worth of cryptocurrency stolen as a result of the attack.
The sophisticated attack started with SMS-based spear phishing aimed at Retool employees. The messages, received by several employees, appeared to come from a member of the company’s IT team and instructed recipients to access a legitimate-looking link in order to address some payroll and open enrollment (healthcare-related) issues.
Only one employee fell for the attack and accessed the link, which led them to a phishing page that tricked them into handing over their credentials and multi-factor authentication (MFA) data.
The hackers then followed up with a phone call in which they deepfaked an employee’s actual voice. The person making the call raised some suspicion, but ultimately the employee did provide the attacker an additional MFA code that they needed. The attacker was convincing because they were familiar with the office’s floor plan, internal processes, and other employees.
“The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite session on that device,” Retool explained in a blog post.
The company said it uses one-time passwords (OTPs) for authentication to Google, Okta, an internal VPN, and internal Retool instances. The attacker was able to obtain access to all the MFA tokens in the targeted employee’s account — and then access internal systems — due to a recently launched Google Authenticator feature that syncs MFA codes to the cloud.
If the feature is active — it was active in the case of the Retool employee — hackers can obtain all of the targeted user’s MFA codes if their Google account is compromised.
“If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isn’t a clear way to ‘disable syncing to the cloud’, instead there is just a ‘unlink Google account’ option. In our corporate Google account, there is also no way for an administrator to centrally disable Google Authenticator’s sync ‘feature’,” Retool complained.
“The fact that Google Authenticator syncs to the cloud is a novel attack vector,” Retool noted. “What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator.”
It’s unclear who is behind the attack, but the incident seems to have some similarities to recent attacks attributed to a financially motivated threat group tracked as 0ktapus, Scattered Spider and UNC3944. The group is known for its sophisticated social engineering tactics, the use of SMS-based phishing messages, and the targeting of cryptocurrency firms. The same gang also appears to be behind the recent highly disruptive attack on MGM Resorts.
Regarding the use of deepfakes for social engineering, this seems to be an increasingly popular tactic. US agencies CISA, FBI and NSA this week published a cybersecurity report on deepfakes, warning that video, audio and text deepfakes can be used for a wide range of malicious purposes, including business email compromise (BEC) attacks and cryptocurrency scams.
UPDATE: Google has provided SecurityWeek the following statement:
“Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies. Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant. Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies. While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.”