Social Engineering Attack on Google
A Precise Cyberattack Unfolds In the ever-evolving landscape of cybersecurity, a recent incident has left the tech world astir. The software firm Retool, renowned for its development platform used by a diverse range of entities, found itself at the center of a targeted and intricate social engineering attack. The attack compromised the accounts of 27 of its cloud customers, including industry giants like Amazon, Mercedes-Benz, DoorDash, NBC, Stripe, and Lyft. This scheme unfolded with chilling precision, revealing the audacity and cunning of modern cybercriminals.
Cryptocurrency Industry Takes a Hit The revelation of this cyberattack comes from Snir Kodesh, the Head of Engineering at Retool, who disclosed that all the compromised accounts belonged to customers within the cryptocurrency industry. The breach, which unfolded on August 27, was a well-orchestrated blend of SMS phishing and social engineering tactics, carefully designed to bypass multiple layers of security controls.
Deception Unleashed The attackers initiated their assault by deploying a deceptive URL disguised as Retool's internal identity portal during a scheduled migration of logins to Okta. While most targeted employees were cautious enough to dismiss the phishing text messages, one unfortunate click led them to a deceptive login portal. Here, the attackers took their deception a step further, using deepfake technology to mimic an employee's voice and coax an additional multi-factor authentication code, thus gaining access to the Okta account.
An Unexpected Vulnerability What's particularly striking about this breach is that it owes its success to an unexpected vulnerability. Retool attributed it to a new feature in Google Authenticator, which allowed the synchronization of 2FA codes with Google accounts. While this feature was highly sought-after, it inadvertently exposed the hacker to all 2FA codes, effectively shifting the security from multi-factor to single-factor authentication.
A Full-Scale Account Takeover With access to the Okta account, the attackers infiltrated the VPN and critical internal admin systems, orchestrating a full-scale account takeover within the cryptocurrency industry. Once inside, they wasted no time altering email addresses, resetting passwords, and exploring Retool apps at will.
Swift Response and Recommendations In response to this breach, Google emphasized its commitment to enhancing authentication technologies. They encouraged the adoption of phishing-resistant methods like passkeys and advocated for migrating from legacy one-time password multi-factor authentication to FIDO-based technology. Retool, on the other hand, acted swiftly upon discovering the breach. They promptly revoked all internal employee authenticated sessions, including Okta and G Suite. Access to the compromised accounts was restricted, and affected cloud customers were notified, with their accounts being restored to their original configurations.
Government Caution and Cybersecurity Responsibility Additionally, U.S. Federal Agencies have weighed in on the issue, cautioning against the use of deepfakes in social engineering attacks. They've recommended the adoption of advanced technologies designed to detect and counter deepfake attempts when it comes to accessing sensitive information and networks. This incident serves as a stark reminder of the growing threat posed by social engineering attacks targeting IT service personnel. It's an approach that threat actors have adopted across various sectors, from tech giants like Cisco and Uber to hospitality businesses like MGM Resorts. It underscores the fact that cybersecurity is everyone's responsibility, whether you're a technical expert or a non-technical user. Stay tuned for more updates on how to stay safe in the digital world.
