18 September 2023

DevOps firm Retool hit with SMS-based phishing attack


DevOps firm Retool hit with SMS-based phishing attack

Software development company Retool disclosed it suffered a security incident involving an SMS-based phishing attack that affected the cloud accounts of some of its customers.

The company said the breach took place on August 29, 2023, with the attacker tricking one of its employees into clicking on a phishing link sent in a text message.

“Several employees received targeted texts, claiming that a member of IT was reaching out about an account issue that would prevent open enrollment (which affects the employee’s healthcare coverage). The timing coincided with a recently announced migration of logins to Okta, and the message contained a url disguised to look like our internal identity portal. Almost all employees didn’t engage, but unfortunately one employee logged into the link provided by the attackers,” the company explained.

The employee has activated Google Authenticator's cloud sync feature which allowed the threat actor to gain elevated access to the company’s internal admin systems and commandeer the accounts belonging to 27 customers in the crypto industry. As per media reports, one of the victims, financial infrastructure company Fortress Trust, lost $15 million worth of customers’ cryptocurrency due to the Retool incident.

“The fact that Google Authenticator syncs to the cloud is a novel attack vector. What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator,” Retool noted in a blog post.

In related news, another DevOps company, Rollbar, informed customers of a data breach impacting its data warehouse. The attackers initially tried to launch compute resources but then that failed started nosing around for Bitcoin wallets or other cloud credentials and data.

 

Back to the list

Latest Posts

Cyber Security Week in Review: May 24, 2024

Cyber Security Week in Review: May 24, 2024

In brief: Google fixes Chrome zero-day, a backdoor found in JAVS software, and more.
24 May 2024
Chinese APTs increasingly using ORB networks to mask attack infrastructure

Chinese APTs increasingly using ORB networks to mask attack infrastructure

Mandiant reports that it is actively monitoring several ORB networks, with the most notable being SPACEHOP and FLORAHOX.
23 May 2024
Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Ghostengine deploys several modules to tamper with security tools, establish a backdoor, and ensure software updates are in place.
22 May 2024