Cloud Synchronization Function Of Google Authenticator Is The Reason Of Fortress Hack

Key Points:

• Retool reveals crypto thefts from 27 customers due to a Google Authenticator flaw.
• The breach stemmed from an SMS phishing attack targeting Retool employees, granting attackers control over accounts.
• Similarities with Scattered Spider’s tactics were observed; no unauthorized access to on-premises accounts was reported.

In a recent revelation, software company Retool revealed details about a cyberattack that compromised 27 crypto customer accounts, resulting in millions of dollars in losses. The breach, which occurred on August 27, 2023, shed light on a critical vulnerability associated with Google Authenticator.

The attack exploits the Google Authenticator cloud sync function, effectively transforming multi-factor authentication into a single-factor system. The offender gained control of an Okta account and subsequently seized control of the associated Google account, which held all one-time passwords (OTPs) stored in Google Authenticator. This synchronization feature, previously considered secure, turned out to be a novel attack vector.

The incident began with an SMS phishing attack aimed at Retool employees, where threat actors posed as members of the IT team. Employees were forced to click on a seemingly legitimate link to address a payroll-related issue. An additional security flaw emerged when an employee enabled Google Authenticator’s cloud sync feature, granting threat actors elevated access to internal admin systems.

The attackers subsequently changed email addresses and reset passwords for 27 customers in the crypto industry, resulting in substantial losses, notably the theft of $15 million worth of cryptocurrency from Fortress Trust, as reported by CoinDesk.

While the exact identity of the hackers remains undisclosed, their tactics resemble those of a financially motivated threat actor known as Scattered Spider, recognized for employing sophisticated phishing techniques. Retool assures that the breach did not grant unauthorized access to on-premises or managed accounts and coincided with the company’s migration of logins to Okta.

DISCLAIMER: The information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.