Developer platform Retool recently announced that it experienced a breach last month, which involved a vishing attack on an employee and impacted 27 of its cloud customers. The company revealed in a blog post that it was targeted in a spear phishing attack on August 27, where a threat actor posed as an IT staff member and used SMS-based phishing techniques to obtain authentication logins. This ultimately led to the complete takeover of one Retool employee’s account.
Retool took immediate action by notifying all 27 affected cloud customers on August 29. Fortunately, the company confirmed that no on-premises accounts were affected by the breach. The attack initially began with targeted text messages sent to multiple employees, using issues related to their accounts and healthcare coverage as bait. These messages contained a URL that mimicked Retool’s internal identity portal and successfully tricked one employee into logging into a malicious link. The link featured a multi-factor authentication (MFA) form, and the employee unknowingly provided their login details.
The attack continued to escalate when the threat actor made a phone call to the targeted employee, armed with a significant amount of knowledge about the organization. The caller claimed to be a member of the IT team and even deepfaked the employee’s actual voice. The impersonator displayed familiarity with the layout of the office, the employee’s colleagues, and internal processes, further convincing the employee to cooperate. Despite growing suspicions, the employee unfortunately provided the attacker with an additional MFA code.
Retool utilizes Okta’s authentication platform, and the additional MFA code given to the attacker was a one-time password token. This allowed the threat actor to compromise an Okta account. By adding their own device to the employee’s Okta account, they could generate their own MFA code, granting them unauthorized access. This access extended to an active Google Workspace session on the compromised device.
Subsequently, the attacker utilized their Google account access to obtain all of the employee’s MFA codes, enabling them to breach Retool’s VPN and internal administrator systems. Their malicious activities included changing email addresses for users, resetting passwords, and viewing Retool applications.
Retool attributed the extent of the breach to the synchronization of Google Authenticator MFA codes to the cloud. The company implemented this feature in response to customer concerns about lost or stolen devices with Google Authenticator installed. However, some cybersecurity experts expressed concerns about potential security issues following the feature’s launch, such as the lack of encryption for synchronized data.
According to Snir Kodesh, head of engineering at Retool, “Getting access to this employee’s Google account therefore gave the attacker access to all their MFA codes. With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems. This allowed them to run an account takeover attack on specific set of customers (all in the crypto industry).”
CoinDesk, a reputable cryptocurrency news outlet, reported that the recent attack on cryptocurrency firm Fortress Trust was connected to the Retool breach. Fortress Trust disclosed last week that four customers were impacted by a third-party vendor whose cloud tools were compromised. CoinDesk confirmed that the unnamed vendor was Retool.
In response to the breach, Retool immediately revoked all internal authenticated sessions for employees and restricted access to the 27 affected accounts. These accounts have since been restored and secured. The company is also actively collaborating with law enforcement agencies to investigate the incident. Importantly, Retool clarified that only its cloud environment was affected, and it remains separate from the company’s zero-trust on-premises network.
Retool emphasized that the majority of its customers in sensitive industries, such as cryptocurrency, healthcare, and finance, utilize the company’s highly secure on-premises solution. They encourage customers to consider this option for enhanced security.
Social engineering attacks, including phishing and vishing campaigns, have become increasingly prevalent in recent years. Cyber insurance provider Coalition reported that 76% of all claims in the second half of 2022 were attributed to phishing attacks. Notably, Okta also disclosed earlier this month that four customers were compromised in a social engineering attack, where attackers impersonated IT personnel and convinced customers to reset their MFA factors.
Retool did not provide any additional comments or responses regarding the breach at the time of reporting. The company’s swift actions in notifying affected customers and implementing security measures demonstrate their commitment to addressing the incident and safeguarding their customers’ data.