Here's how Retool fell victim to an unusual attack.
Last month, Retool, a company that specializes in developing business applications for customers, was hacked. 27 cloud clients of the company became victims of hacking.
The hacker launched his attack by sending several Retool employees SMS messages on behalf of a member of the IT team, allegedly solving a problem with paying salaries and providing health insurance. Most of the recipients ignored the phishing message, with the exception of one employee.
This unsuspecting employee clicked on the URL link in the message, which redirected them to a fake internet login portal. After logging in to the site, they were contacted by phone using a voice created with the help of AI technologies, copying the real voice of the employee. In the conversation, the hacker, posing as a member of the IT team, was familiar with the office layout, work colleagues, and internal processes of the company. During the conversation, the employee began to suspect a trick, but provided the attacker with an additional two-factor authentication code (MFA).
This incident indicates that the attacker may have already partially accessed Retool resources prior to this call. After receiving the two-factor authentication code, the attacker added his device to the employee's account and gained access to his GSuite account.
Especially dangerous was the fact that the Google Authenticator app recently added a syncing feature in the cloud. This means that MFA codes can now be viewed on multiple devices associated with your account.
Retool highlighted the severity of the problem: "If your Google account is compromised, your MFA codes are also compromised." According to the company, it was access to the Google account that allowed the attacker to break into the company's internal systems.
Retool has already denied the hacker access, but decided to disclose information about what happened to warn other companies. They also called on Google to change its authentication app so that companies can easily disable the cloud sync feature for their employees. Google has not yet commented on this situation.
Last month, Retool, a company that specializes in developing business applications for customers, was hacked. 27 cloud clients of the company became victims of hacking.
The hacker launched his attack by sending several Retool employees SMS messages on behalf of a member of the IT team, allegedly solving a problem with paying salaries and providing health insurance. Most of the recipients ignored the phishing message, with the exception of one employee.
This unsuspecting employee clicked on the URL link in the message, which redirected them to a fake internet login portal. After logging in to the site, they were contacted by phone using a voice created with the help of AI technologies, copying the real voice of the employee. In the conversation, the hacker, posing as a member of the IT team, was familiar with the office layout, work colleagues, and internal processes of the company. During the conversation, the employee began to suspect a trick, but provided the attacker with an additional two-factor authentication code (MFA).
This incident indicates that the attacker may have already partially accessed Retool resources prior to this call. After receiving the two-factor authentication code, the attacker added his device to the employee's account and gained access to his GSuite account.
Especially dangerous was the fact that the Google Authenticator app recently added a syncing feature in the cloud. This means that MFA codes can now be viewed on multiple devices associated with your account.
Retool highlighted the severity of the problem: "If your Google account is compromised, your MFA codes are also compromised." According to the company, it was access to the Google account that allowed the attacker to break into the company's internal systems.
Retool has already denied the hacker access, but decided to disclose information about what happened to warn other companies. They also called on Google to change its authentication app so that companies can easily disable the cloud sync feature for their employees. Google has not yet commented on this situation.
