Google Authenticator Flaw Inadvertently Facilitated $15 Million Theft

Recently, a cryptocurrency firm, Fortress Trust, disclosed a theft of $15 million following a cyber attack. Investigating the matter revealed a design flaw in Google Authenticator that led to a series of incidents across multiple firms before the theft.

Google Authenticator Exhibits A Weird Design Flaw

Fortress Trust, a cryptocurrency custodian, recently disclosed a security incident that allowed the attacker to pilfer $15 million from the Trust’s customers. According to the firm, the breach did not affect the firm’s systems but instead impacted a “third-party vendor,” indirectly hitting the firm.

While Fortress Trust didn’t initially name the vendor, it turned out that the Trust referred to Retool – a cloud service provider. Retool partnered with Fortress Trust to facilitate its customers in accessing funds via a dedicated portal. However, according to Retool’s disclosure about the incident, the firm suffered a phishing attack that eventually impacted Fortress Trust customers, inducing financial losses.

As disclosed in its post, one of Retool’s employees fell prey to a vishing attack where the attackers impersonated the voice of one of the firm’s IT staff for the phishing call. The attacker first sent an email to the Retool, asking them to log in to the given Okta link (a fake URL). One of the employees engaged with the email and logged in to the attacker’s web page, making the attackers call the employee and trick them into sharing an MFA OTP.

Once done, the attackers accessed the victim employee’s Okta account, could generate their own OTPs onward, and even access the active GSuite on the device.

That’s where the actual flaw existed. Given the recent change with Google Authenticator that syncs MFA codes to the cloud, the compromised Google account let the attackers access all MFA codes associated with Retool and Okta. Ultimately, using these codes, the attackers breached the Retool systems and VPN and impacted Fortress Trust customers’ accounts.

What Google Has To Say?

While exploiting Google Authenticator, as demonstrated in the recent attack, is unique, it explicitly highlighted a major design flaw that, according to Retool, converted multi-factor authenticator to single-factor authentication for the admins.

Following this incident, Google provided the following statement, urging customers to switch to safer MFA approaches, like passwordless authentication. Besides, the firm also pledged to improve Google Authenticator.

Our first priority is the safety and security of all online users, whether consumer or enterprise, and this event is another example of why we remain dedicated to improving our authentication technologies. Beyond this, we also continue to encourage the move toward safer authentication technologies as a whole, such as passkeys, which are phishing resistant.
Phishing and social engineering risks with legacy authentication technologies, like ones based on OTP, are why the industry is heavily investing in these FIDO-based technologies.
While we continue to work toward these changes, we want to ensure Google Authenticator users know they have a choice whether to sync their OTPs to their Google Account, or to keep them stored only locally. In the meantime, we’ll continue to work on balancing security with usability as we consider future improvements to Google Authenticator.

Besides, Retool also confirmed facing no impact of the incident on its on-premise tool and complete restoration of all 27 hijacked accounts.

While now resolved, the entire fiasco explicitly highlighted the importance of staff training regarding cyber threats, phishing, and deepfakes to prevent such incidents.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients