Incident Name: Retool August 2023 Social Engineering Attack
Date of Incident: August 27th, 2023
Retool, a popular software company, announced on September 13, 2023, that it had fallen victim to a cyber attack in August 2023. According to their blog post, their employees were targeted in a smishing campaign on August 27, 2023. The employees received smishing texts claiming to be from their IT department regarding an account issue that would impact their healthcare coverage enrollment. Retool had recently transitioned to Okta, and the URL used in these messages appeared to be a legitimate Okta login URL. Unfortunately, one employee fell for this smishing campaign and unknowingly logged in via the malicious URL. Subsequently, the threat actor posing as IT contacted the employee via phone call, using a deepfake of a real employee. It has been reported that the threat actor had access to office floor plans and processes, enhancing their ability to convince the targeted employee and acquire their MFA code. Once in possession of this code, the threat actor added their own device to the employee’s Okta account, expanding their access within the environment. Leveraging this access, they logged into an active G Suite session and gained visibility into all authenticator codes synced to that account. In April 2023, Google introduced the option for users to sync these codes to simplify transfers between devices; however, it is crucial to note that this feature can be disabled to prevent automatic syncing. Corporate accounts face challenges in centrally disabling this setting, requiring coordination with Google to mitigate similar incidents at other companies.
Armed with the synced MFA codes, the threat actor proceeded to access Retool’s VPN and internal admin systems. Exploiting this access, they targeted accounts associated with cryptocurrency customers. As a result, 27 accounts were compromised. Retool promptly informed these affected customers, restored their accounts, and revoked all internal access to authenticated sessions for employees. They also conducted a comprehensive review of access permissions.
While the identity of the threat actor has not been officially disclosed, it is noteworthy that phishing campaigns utilizing Okta as a pretext continue to be widely employed and successful. Recently, Okta, a provider of identity and authentication services, issued a warning to its customers about an ongoing, sophisticated social engineering attack targeting IT service desk personnel. Multiple Okta customers have reported falling victim to these attacks since August 2023. The attacks exploit vishing techniques to deceive employees.
Key Social Engineering/OSINT Themes:
- Recon – Retool employee and organizational information was harvested. The threat actor leveraged exposed employee information to conduct a social engineering attack.
- Smishing – Using a malicious Okta Retool URL, the threat actor socially engineered the employee into clicking the link.
- Vishing – Once the employee logged in via the malicious URL, they called the employee using a deepfake voice to impersonate an IT helpdesk employee.
Picnic’s Recommended Remediations:
For detailed remediations, see the HASP Framework.
High Risk Employees
- HASP Framework 1.1 — Identify high-value employee targets
- HASP Framework 1.3 — Conduct social engineering risk assessments for high-value employee targets
- HASP Framework 1.5 — Establish and implement procedures for high-value employee targets
- HASP Framework 1.7 — Increase detection and monitoring for high-value employee targets
Exposed Employee PII
- HASP Framework 2.1 — Identify exposed employee PII
- HASP Framework 2.2 — Reduce exposed employee PII
- HASP Framework 3.7 — Restrict service account access
- HASP Framework 3.8 — Monitor for account takeover (including real-time alerts on exposed credentials)
- HASP Framework 3.9 — Monitor for MFA configuration changes
- HASP Framework 3.10 — Monitor for new MFA registrations
Exposed Remote Services
- HASP Framework 4.2 — Identify exposed shadow IT
- HASP Framework 4.4 — Manage shadow IT / remote access
Indicators of Attack
- HASP Framework 7.1 — Monitor for suspicious external accounts
- HASP Framework 7.2 — Request takedowns for suspicious external accounts
- HASP Framework 7.3 — Alert your organization about suspicious external accounts
- HASP Framework 7.4 — Monitor for suspicious domains
- HASP Framework 7.5 — Block suspicious domains
- HASP Framework 8.1 — Train employees on social engineering attacks
- HASP Framework 8.2 — Provide employees with social engineering phishing simulation training
- HASP Framework 8.4 — Build and establish social engineering policies, processes, and procedures
Breach Notice/Company Notice: