Skip to main content

Retool’s Breach: A Wake-Up Call to Cyber Threats Via SMS Phishing

Recent incidents in the digital landscape highlight the ever-evolving nature of cyber threats. Notably, software development giant, Retool, fell prey to an SMS-based phishing scheme, leading to the compromise of 27 of its cloud client accounts.

The Incident in Detail:

San Francisco’s Retool revealed that the breach occurred due to a recently introduced cloud synchronization feature by Google in April 2023. This function unintentionally made the previously multi-factor authentication system essentially a single-factor one. The severity of the breach was enhanced due to this unintentional oversight.

The breach on August 27, 2023, started with a simple SMS phishing attack, with attackers posing as IT team members. They sent a seemingly authentic link addressing a ‘payroll issue’ to Retool’s employees. Falling for this, an employee shared their credentials on a fake landing page. This didn’t end here. A follow-up call using deepfaked voices tricked the employee into providing the multi-factor authentication (MFA) code. With this, the attackers gained a clear pathway to the G Suite session on the compromised device.

The cloud sync feature in Google Authenticator, which the employee had activated, further paved the way for the attackers. They accessed Retool’s internal admin systems, taking control of 27 crypto industry customer accounts. In a major aftermath, Fortress Trust, one of these clients, lost a staggering $15 million in cryptocurrency.

Deeper Dive: The Implications

This sophisticated attack exposes a vital flaw. By syncing OTPs to the cloud, we compromise the very principle of MFA – “something the user has.” To genuinely counteract such phishing attempts, a shift towards FIDO2-compliant hardware security keys or passkeys becomes imperative.

Hints suggest the tactics used in this breach bear similarities to Scattered Spider’s methods (also identified as UNC3944). This group is notorious for its refined phishing strategies. Mandiant’s recent revelations indicate this group’s penchant for tailoring phishing campaigns using details from compromised environments.

Furthermore, the U.S. government has issued warnings about the rise in the use of deepfakes for malicious purposes, from business email compromises to crypto scams.

Isogent’s Takeaway:

This incident serves as a stark reminder of the changing dynamics in cyber threats. As businesses, it’s crucial to:

  1. Educate and Train: Regularly update and train staff about the latest phishing methods.
  2. Reassess Security Measures: Regularly review and adapt security measures, especially when third-party features get updated.
  3. Stay Updated: Keep abreast with global cybersecurity incidents and adapt defenses accordingly.
  4. Hardware Security: Consider adopting FIDO2-compliant hardware security methods.
  5. Regular Backups: Ensure critical data is backed up and stored securely.

In an era where cyber-attacks are getting increasingly sophisticated, staying proactive is the key. At Isogent, we’re committed to helping organizations stay a step ahead in the cybersecurity landscape.

Leave a Reply