• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
retool falls victim to sms based phishing attack affecting 27 cloud

Retool Falls Victim to SMS-Based Phishing Attack Affecting 27 Cloud Clients

You are here: Home / General Cyber Security News / Retool Falls Victim to SMS-Based Phishing Attack Affecting 27 Cloud Clients
September 18, 2023

Software enhancement company Retool has disclosed that the accounts of 27 of its cloud prospects have been compromised pursuing a focused and SMS-primarily based social engineering attack.

The San Francisco-dependent company blamed a Google Account cloud synchronization characteristic not long ago introduced in April 2023 for building the breach worse, contacting it a “dark pattern.”

“The point that Google Authenticator syncs to the cloud is a novel attack vector,” Snir Kodesh, Retool’s head of engineering, said. “What we had at first applied was multi-factor authentication. But by this Google update, what was previously multi-factor-authentication had silently (to directors) grow to be one-factor-authentication.”

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Retool reported that the incident, which took location on August 27, 2023, did not permit unauthorized obtain to on-prem or managed accounts. It also coincided with the enterprise migrating their logins to Okta.

Cybersecurity

It all begun with an SMS phishing attack aimed at its workers, in which the menace actors masqueraded as a member of the IT workforce and instructed the recipients to simply click on a seemingly genuine website link to deal with a payroll-associated issue.

Just one worker fell for the phishing trap, which led them to a bogus landing webpage that tricked them into handing over their qualifications. In the upcoming phase of the attack, the hackers called up the staff, once more posing as the IT group particular person by deepfaking their “precise voice” to acquire the multi-factor authentication (MFA) code.

“The extra OTP token shared in excess of the call was critical, due to the fact it authorized the attacker to increase their possess private system to the employee’s Okta account, which allowed them to develop their very own Okta MFA from that level ahead,” Kodesh mentioned. “This enabled them to have an lively G Suite [now Google Workspace] session on that machine.”

The simple fact that the personnel also experienced activated Google Authenticator’s cloud sync element authorized the menace actors to acquire elevated obtain to its inside admin programs and properly consider about the accounts belonging to 27 buyers in the crypto market.

The attackers eventually adjusted the e-mails for individuals end users and reset their passwords. Fortress Have confidence in, one of the impacted people, noticed close to $15 million worth of cryptocurrency stolen as a consequence of the hack, CoinDesk documented.

“Because regulate of the Okta account led to command of the Google account, which led to control of all OTPs saved in Google Authenticator,” Kodesh pointed out.

If just about anything, the advanced attack displays that syncing just one-time codes to the cloud can split the “a little something the user has” factor, necessitating that people count on FIDO2-compliant components security keys or passkeys to defeat phishing attacks.

Whilst the specific identity of the hackers was not disclosed, the modus operandi exhibits similarities to that of a financially enthusiastic menace actor tracked as Scattered Spider (aka UNC3944), which is recognized for its refined phishing practices.

Approaching WEBINARIdentity is the New Endpoint: Mastering SaaS Security in the Contemporary Age

Dive deep into the upcoming of SaaS security with Maor Bin, CEO of Adaptive Defend. Explore why id is the new endpoint. Protected your place now.

Supercharge Your Capabilities

“Dependent on assessment of suspected UNC3944 phishing domains, it is plausible that the threat actors have, in some conditions, used access to sufferer environments to attain data about inner systems and leveraged that info to aid far more tailored phishing strategies,” Mandiant disclosed very last week.

“For instance, in some instances the threat actors appeared to build new phishing domains that involved the names of interior systems.”

The use of deepfakes and synthetic media has also been the subject matter of a new advisory from the U.S. authorities, which warned that audio, movie, and text deepfakes can be utilised for a broad array of destructive applications, such as business email compromise (BEC) attacks and cryptocurrency ripoffs.

Observed this report appealing? Abide by us on Twitter  and LinkedIn to go through extra unique content material we put up.


Some pieces of this write-up are sourced from:
thehackernews.com

Previous Post: «financially motivated unc3944 threat actor shifts focus to ransomware attacks Financially Motivated UNC3944 Threat Actor Shifts Focus to Ransomware Attacks
Next Post: Hook: New Android Banking Trojan That Expands on ERMAC’s Legacy hook: new android banking trojan that expands on ermac's legacy»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. – Dutch Operation
  • OtterCookie v4 Adds VM Detection and Chrome, MetaMask Credential Theft Capabilities
  • Initial Access Brokers Target Brazil Execs via NF-e Spam and Legit RMM Trials
  • Deploying AI Agents? Learn to Secure Them Before Hackers Strike Your Business
  • Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials
  • Beyond Vulnerability Management – Can You CVE What I CVE?
  • Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android
  • Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
  • 38,000+ FreeDrain Subdomains Found Exploiting SEO to Steal Crypto Wallet Seed Phrases
  • SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root

Copyright © TheCyberSecurity.News, All Rights Reserved.