California-based software development firm Retool has attributed the compromise of 27 client accounts, all of which were cryptocurrency organizations, in late August to the new sync functionality in Google Authenticator, according to BleepingComputer
Attackers leveraged social engineering and SMS phishing to spoof Retool's internal identity portal to breach an Okta account belonging to an IT employee, said Retool, which noted that the victim had been lured to provide a multi-factor authentication code that eventually enabled the inclusion of an attacker-controlled device to the account.
Retool noted that such an attack was successful primarily due to the new two-factor authentication code synchronization feature in Google Authenticator, which allowed threat actors to obtain all of the company's 2FA codes for internal services.
"This allowed them to run an account takeover attack on a specific set of customers (all in the crypto industry). (They changed emails for users and reset passwords.) After taking over their accounts, the attacker poked around some of the Retool apps," said Retool Head of Engineering Snir Kodesh, who added that Google should act to remove or provide the option to disable the sync feature.
In response, Google recommended the use of passkeys
and FIDO-based technologies to prevent compromise.