A phishing attack on a cloud provider of Fortress Trust led to a $15 million crypto theft from the crypto custodian.
The cloud provider is Retool, a San Francisco-based company with Fortune 500 customers. Retool built a portal for a handful of Fortress clients to access their funds. The phishing attack resulted in an attacker gaining access to Retool’s system and stealing the private keys to the Fortress clients’ crypto wallets.
Retool, without naming Fortress, notified its customers about the attack in a blog post. It stated that “ there had been unauthorized access to their accounts” as a result of phishing attack.
The blog revealed that the attackers targeted “a specific set of customers,” all of whom were in the crypto business. Retool said that the customers who configured the software in the encouraged were not affected.
The blog post details the whole event in chronological order. The attacker was able to navigate through multiple layers of security controls after taking advantage of one of the employees through an SMS-based phishing attack.
Several employees had received a text, claiming that a member of IT was reaching out about an account issue that would prevent open enrollment, which would affect the employee’s healthcare coverage.
Attaker was able to make contact with one of the employees through the link provided in the text. Despite getting suspicious during the conversation, the employee did provide the attacker with one additional multi-factor authentication (MFA) code.
The blog detailed that this “allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite session on that device. Google recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud.”
With these codes and Okta sessions, the attacker was able to gain access to their VPN and internal admin systems, which allowed them to run an account takeover attack on a specific set of customers, all in the crypto Industry.
After learning about the attack, Retool immediately revoked all internal authenticated sessions of Okta, GSuite, etc.. for employees. They locked down access to the affected accounts and notified the customers.
Retool also restored the accounts to their original state with the original email address and reversed 27 account takeovers.