Attackers Target Crypto Companies in Retool Data Breach

A data breach late last month of software development platform firm Retool led to the accelerated acquisition of one of its users and put a spotlight on an account synchronization feature that Google introduced earlier this year.

Retool, the six-year-old company whose platform help organizations build business applications, on August 29 notified 27 customers of its cloud platform that two days earlier an unknown threat actor had gained unauthorized access to their accounts.

All of the companies notified were in the cryptocurrency space. No on-prem account holders were affected by the break, the company said.

A number employees received spear-phishing text messages from someone claiming to be a member of the San Francisco-based company’s IT team, according to Snir Kodesh, Retool’s head of engineering. The message said there was a problem with their accounts that would prevent open enrollment into a healthcare plan.

“The timing coincided with a recently announced migration of logins to Okta, and the message contained a [URL] disguised to look like our internal identity portal,” Kodesh wrote in a blog post this week. “Almost all employees didn’t engage, but unfortunately one employee logged into the link provided by the attackers.”

An Employee Clicks On the Link

The link led the employee logged into a fake portal that included a multi-factor authentication (MFA) form, after which they were called by the attacker, who said they were from the IT team and deepfaked the voice of another employee. Deepfakes – which use deep learning techniques to create legitimate-looking but fake videos, images, or voices – have become a growing problem with the rise of advanced AI technologies.

“The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company,” he wrote. “Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code.”

Retool uses OTP (one-time password) tokens for MFA, so handing that over enabled the attacker to add their own personal device to the employee’s Okta account, which in turn let them create their own Okta MFA. From there, the attacker created an active GSuite session on the device, Kodesh wrote.

Google’s Authenticator Syncing Feature

This is where Google’s new synchronization feature came in. In April, the cloud giant announced that users of its Google Authenticator tool could now sync their MFA codes to their Google Accounts in the cloud, a move designed to enable users to sign into any service protected by two-factor authentication even if they lost the device that stored the OTPs.

The Google syncing feature was active on the employee’s device.

“This is highly insecure, since if your Google account is compromised, so now are your MFA codes,” Kodesh wrote.

The security was debated by a number of users on a lengthy Reddit thread in April when the feature was first announced. There were questions why the Authenticator sync wasn’t protected by end-to-end encryption (EE2E), with one user noting that “if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised. … although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy.”

There also was frustration that, if a person turned on the syncing feature, there was no clear way to turn it off. It also was a point that Kodesh raised in his blog post. Retool uses OTPs to authenticate into Google and Okta, the company’s internal VPN, and its own internal instances of Retool.

“Getting access to this employee’s Google account therefore gave the attacker access to all their MFA codes,” Kodesh wrote. “With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems. This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry). (They changed emails for users and reset passwords.) After taking over their accounts, the attacker poked around some of the Retool apps.”

He added that Retool has contacted Google about the problem, adding that the hyperscaler should either stop encouraging users to save their MFA codes in the cloud or provide organizations with the ability to disable it.

After learning of the attack, Retool quickly revoked all internal employee authenticated sessions, including Okta and GSuite, shut down access to affected account and notified impacted customers, and restored it accounts to their original state, which Kodesh said reverted the 27 account takeovers.

A Shotgun Wedding

Retool – whose customers include such names as Amazon, DoorDash, and NBC – didn’t name any of the affected businesses, but reportedly one of them was Fortress Trust, a Web3 financial and technology company that saw $15 million in Bitcoin stolen from its customers. Fortress Trust executives, when announcing the theft last week, put the blame on an unnamed third-party company.

It later was reported that the third-party firm was Retool. The data breach also had another immediate effect on Fortress Trust. Prior to the breach, there were reports that Ripple – a blockchain tech company and an investor in Fortress Trust – was interested in buying them.

Ripple announced on September 8 – the day after Fortress Trust announced the $15 million theft – its intent to buy Fortress Trust and a Ripple spokesperson told CoinDesk the theft accelerated those talks.

Retool’s Kodesh wrote that the data breach is “embarrassing for the employee, disheartening to cybersecurity professionals, and infuriating for our customers,” but that it’s important for the details to come out.

“Our hope is that by publishing these attack vectors we can make the industry overall more aware, and enable cybersecurity professionals to harden their own systems,” he wrote.