Retool blames breach on Google Authenticator MFA cloud sync feature

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/retool-blames-breach-on-google-authenticator-mfa-cloud-sync-feature/

Software company Retool says the accounts of 27 cloud customers were compromised following a targeted and multi-stage social engineering attack.

Retool's development platform is used to build business software by companies ranging from startups to Fortune 500 enterprises, including Amazon, Mercedes-Benz, DoorDash, NBC, Stripe, and Lyft.

Snir Kodesh, Retool's head of engineering, revealed that all hijacked accounts belong to customers in the cryptocurrency industry.

The breach occurred on August 27, after the attackers bypassed multiple security controls using SMS phishing and social engineering to compromise an IT employee's Okta account.

The attack used a URL impersonating Retool's internal identity portal and was launched during a previously announced migration of logins to Okta.

While most of the targeted employees ignored the phishing text message, one clicked the embedded phishing link that redirected to a fake login portal with a multi-factor authentication (MFA) form.

After signing in, the attacker deepfaked an employee's voice and called the targeted IT team member, tricking them into providing an additional MFA code, which allowed the addition of an attacker-controlled device to the targeted employee's Okta account.

Retool is blaming the success of the hack on a new feature in Google Authenticator that allows users to synchronize their 2FA codes with their Google account.

This has been a long-requested feature, as you can now use your Google Authenticator 2FA codes on multiple devices, as long as they are all logged into the same account.

However, Retool says that the feature is also to blame for the August breach severity as it allowed the hacker who successfully phished an employee's Google account access to all their 2FA codes used for internal services.

"With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems," Kodesh said.

Retool blames breach on Google Authenticator MFA cloud sync feature

Software company Retool says the accounts of 27 cloud customers were compromised following a targeted and multi-stage social engineering attack.

www.bleepingcomputer.com

 

[Ink]

Could Microsoft Authenticator fall under the same attacks or worse, as it can also sync your 2FA and passwords.

Thoughts?

 

[SpyNetGirl]

Could Microsoft Authenticator fall under the same attacks or worse, as it can also sync your 2FA and passwords.

Thoughts?

Retool is wrong here. It's not Google's fault, it's Retool's incompetence. They got the entire threat model wrong and now want to blame someone else.

 

[upnorth]

Not Googles fault that Retool didn't implement and used extra and better authentication tools for their " critical systems ". There's way too many other old reports available on that issue. The use of an hardware device like FIDO2 keys helps.


Btw, Okta themself been serious breached more then once:

Okta's source code stolen after GitHub repositories hacked

Okta, a leading provider of authentication services and Identity and Access Management (IAM) solutions, says that its private GitHub repositories were hacked this month. According to a 'confidential' email notification sent by Okta and seen by BleepingComputer, the security incident involves...

malwaretips.com

 

[TairikuOkami]

Could Microsoft Authenticator fall under the same attacks or worse, as it can also sync your 2FA and passwords.

Yes, because it was user's fault, who logged via a phishing webpage. I have just reinstalled Windows and all I had to do to login was to confirm 1 request via "trusted" Authenticator. Afterwards, I could simply access everything via Windows using PIN, like passwords, onedrive, etc. So much for 2FA/MFA, the whole security is like a house of cards, one mistake and it all falls down.

 

[Trident]

There was this wave to discard codes via SMS and move to authenticators (deemed more secure due to SIM swapping attacks that are extremely rare). Now we are blaming the same authenticators that were deemed secure for breaches.

 

[brambedkar59]

Securit and convenience are usually inversely proportional to each other. You sacrifice one to gain other.
Not sure why they are blaming Google here.

 

[Trident]

Securit and convenience are usually inversely proportional to each other. You sacrifice one to gain other.
Not sure why they are blaming Google here.

It’s always like that in the event of breach, that’s been like this for years. It’s his fault, her fault, its fault, their fault. It is never the business’ fault for various misconfigurations.

Btw, Authenticator by Google can be used without an account too by people who desire to do so.

 

[Sandbox Breaker]

I've been using yubikeys/titans since 2017. Never looked back since. With AiTM today... Alot of orgs/banks/govts/MSP's all getting hacked.

Check Point Zero Phishing has stopped all zero day AiTM pages/proxies I've seen in the wild.