Public Cloud Security Breaches Documenting their mistakes so you don't make them.

Retool MFA

Incident Details

Victimized Company:Retool
Incident Dates:2023-08-27 to 2023-08-29
Disclosure Date:2023-08-29
Current Status:

An engineer at Retool fell victim to a social engineering attack that led to the compromise of an engineer’s MFA tokens and the account takeover of a small number of Retool customers.

Incident

On August 27th, a Retool engineer fell victim to a social engineering attack. As part of the attack, the perpetrator managed to gain access to the engineer’s Google account. Google Authenticator (the MFA mobile app) syncs the Temporary One Time Passcode (TOTP) seeds to the cloud. By compromising the engineer’s Google Session, the perpetrator could gain access to all of the engineer’s MFA tokens. From there, the attacker was able to pivot to several internal systems at Retool.

The incident at Retool has been linked to a theft of $15M in cryptocurrency from Fortress Trust

Details of the Incident

The Retool employee was spear phished to a fake Okta domain under the guise of “an issue with Open Enrollment”. After the first access, the attackers used a deep-fake voice and inside knowledge of the company to convince the engineer to provide a second MFA token. From the Retool blog post:

The caller claimed to be one of the members of the IT team, and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code.

From there, they were able to access the MFA tokens.

Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this “feature”. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isn’t a clear way to “disable syncing to the cloud”, instead there is just a “unlink Google account” option. In our corporate Google account, there is also no way for an administrator to centrally disable Google Authenticator’s sync “feature”. We will get more into this later.

The MFA tokens granted access to the VPN and allowed the attacker to move laterally with ease:

Getting access to this employee’s Google account therefore gave the attacker access to all their MFA codes. With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems. This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry). (They changed emails for users and reset passwords.) After taking over their accounts, the attacker poked around some of the Retool apps.

Timeline

Date Event
April 23, 2023 Google announces that the Google Authenticator Application now supports sync to the cloud.
August 27, 2023 Retool engineer falls victim to spear phishing attack.
August 29, 2023 Retool notifies the 27 impacted customers.
September 7, 2023 Fortress tweets about a third-party compromise. (screenshot)
September 13, 2023 Retool publishes a blog post outlining the details of the attack. (PDF)
September 14, 2023 CoinDesk attributes a $15M crypto-heist to the Retool incident.

Attribution / Perpetrator

No disclosure has been made about the Perpetrator; however, Retool indicated the 27 impacted customers were in the cryptocurrency industry.

Summary of Coverage

Cloud Security Lessons Learned

Storage of seeds for TOTP-based multi-factor authentication is something that every organization needs to threat model. If the TOTP seeds are stored in the same vault as the password, the compromise of the vault provides both factors of authentication.

As with Retool, the TOTP seeds were stored in Google Workspace without the explicit knowledge of the security team because Google “enhanced” their product to offer the ability to sync these tokens. Another popular free TOTP MFA application, Authy from Twillio, will also sync to the cloud. This syncing feature is free, which means it is typically outside the control or review of the enterprise security team.

While hardware keys provide better protection from phishing than TOTPs, not all systems support hardware keys, and hardware keys are impractical for shared accounts. Security teams should implement a sanctioned solution for their privileged users rather than forcing their technologists to figure it out independently.