Last month, Retool, a company specializing in the development of business applications for customers, experienced a hacking incident. The victims of this attack were 27 of the company’s cloud clients.
The hacker initiated the attack by sending multiple SMS messages pretending to be a member of Retool’s IT team, claiming to address issues related to salary payments and medical insurance. While most recipients recognized the message as a phishing attempt, one unsuspecting employee clicked on a URL link in the message, which redirected them to a fake login portal. Upon authorization on the site, the hacker contacted the employee via phone, using voice technology to replicate the real voice of an employee. During the conversation, the hacker, posing as a member of the IT team, demonstrated knowledge about the office layout, colleagues, and internal processes of the company. The employee began to suspect foul play, but still provided the attacker with an additional two-factor authentication (MFA) code.
This incident suggests that the attacker may have already had some level of access to Retool’s resources before the phone call took place. By obtaining the two-factor authentication code, the attacker added their own device to the employee’s account, thereby gaining access to the employee’s GSUITE account.
A particularly concerning aspect of this incident is that the Google Authenticator application recently introduced a cloud synchronization feature. This means that MFA codes can now be viewed on multiple devices linked to the account.
Retool emphasized the severity of the situation, stating, “If your Google account is compromised, your MFA codes are also at risk.” According to Retool, it was the compromise of the Google Account that facilitated the attacker’s access to the company’s internal systems.
Retool has already revoked the hacker’s access, but has decided to share information about the incident in order to alert other companies. They have also called on Google to modify their authentication application to allow companies to easily disable the cloud synchronization feature for their employees. Google has not yet provided a comment on this matter.