In a significant security breach, cryptocurrency custodian Fortress Trust fell victim to a phishing attack that resulted in a staggering $15 million in crypto theft. The breach originated from a phishing attack on their cloud provider, Retool, a San Francisco-based company that boasts Fortune 500 customers.
The Phishing Attack Unveiled
Retool, which had constructed a portal for a select group of Fortress clients to access their crypto funds, disclosed the attack to its customers in a blog post. The breach was attributed to “unauthorized access to their accounts” resulting from the phishing attack.
Notably, the attackers specifically targeted crypto-related businesses among Retool’s clientele. Fortunately, customers who had configured the software as advised remained unaffected by the breach.
The Intricate Attack
The chronology of events surrounding this attack paints a sophisticated and alarming picture. It began with the attackers launching an SMS-based phishing attack on multiple employees. The SMS falsely claimed to be from an IT department member addressing an account issue that purportedly threatened employees’ healthcare coverage, thereby inducing the targeted individuals to engage with the provided link.
While one employee grew suspicious during the interaction, they inadvertently supplied the attacker with an additional multi-factor authentication (MFA) code. This proved to be a pivotal moment, as the attacker used the code to add their personal device to the employee’s Okta account, enabling them to generate their own Okta MFA codes.
With this newfound access, the attacker gained entry to the company’s VPN and internal admin systems, ultimately executing an account takeover attack on a select group of customers—each immersed in the crypto industry.
Swift Response and Resolution
Upon discovering the breach, Retool acted swiftly. They immediately revoked all internal authenticated sessions tied to Okta, GSuite, and other systems for their employees. Furthermore, access to the affected accounts was promptly restricted, and the impacted customers were notified.
Restoration efforts were also prioritized, with Retool successfully reinstating the accounts to their original states and reversing a total of 27 account takeovers. While this incident has caused significant disruption, it serves as a stark reminder of the critical need for robust cybersecurity measures in the cryptocurrency sector.
As the crypto industry continues to evolve, it must remain vigilant and proactive in safeguarding assets and sensitive information against such threats to ensure the security and trust of its stakeholders.