In a significant cybersecurity development, Retool, a software development company, has pointed to the introduction of a recent Google Account cloud synchronisation feature as the root cause behind the hack that targeted crypto custodian Fortress Trust (recently acquired by Ripple).
Retool, recognised for providing cloud services to various clients, including Fortress Trust, has made a startling revelation.
The security breach impacted all 27 cloud-based customer accounts under their purview, ultimately resulting in a substantial loss of $15 million for Fortress Trust.
This breach has garnered attention not only from industry insiders but also from influential figures like Chinese crypto blogger and journalist Colin Wu, who has shared insights into the incident.
According to Colin, the vulnerability exploited by the hackers appears to be tied to the additional security measures offered by a major authentication app.
Snir Kodesh, the Head of Engineering at Retool, shed light on a critical security lapse stemming from a recent Google update.
This update, unbeknownst to administrators, transitioned the multifactor authentication standard to single-factor authentication, ultimately laying the groundwork for a security breach.
The breach had its origins in an SMS social engineering attack that specifically targeted Retool’s employees.
The malicious actor employed a clever ruse, posing as a member of the IT team, to distribute harmful links to unsuspecting employees.
The accompanying message claimed to address a payroll issue, coaxing one employee into unwittingly entering their log-in credentials on a fraudulent landing page.
The hackers then escalated their tactics by employing a deep-fake voice during a phone call with the employee to extract a multifactor authentication code.
Armed with this code, the hackers proceeded to add their own device to the employee’s account, effectively gaining the means to generate multifactor authentication codes themselves.
This enabled them to establish an active Google Workspace session on their device, a pivotal step that granted them entry into the internal admin system.
Once inside, the hackers wasted no time in taking control of customer accounts, executing changes to email addresses and passwords.
This resulted in $15 million worth of crypto assets being lost.
While Retool has refrained from divulging the extent of the attack’s impact on its other clientele, the sheer sophistication of this operation suggests that the malefactors may possess advanced expertise, possibly even possessing insider knowledge that allowed them to tailor their phishing campaigns with precision.
While the identities of the culprits remain veiled in uncertainty, their tactics bear a striking resemblance to the modus operandi of Scattered Spider, also known as UNC3944 — a financially driven threat actor renowned for their adept execution of sophisticated phishing campaigns.
Moreover, the deployment of deep-fake technology and synthetic media has raised red flags at the highest levels of the United States (US) government.
These tools have prompted concerns about their potential exploitation across a spectrum of malicious activities, spanning from business email compromise (BEC) attacks to cryptocurrency scams.