Retool details a 2023 cloud-access incident where spear-phishing led to OTP/MFA token misuse, resulting in 27 cloud customer account takeovers (on-prem remained safe). The post argues for stronger controls (hardware FIDO2 keys), improved threat modeling, and human-in-the-loop safeguards to counter evolving social-engineering and cloud-MFA risks. #Retool #Okta
Keypoints
- Between August 27β29, 2023, Retool suffered a spear-phishing attack that impacted 27 cloud customers, with on-prem deployments unaffected.
- The attackers used SMS-based phishing to lure an employee to a fake identity portal link, exploiting a migration to Okta.
- One employee clicked the malicious link, leading to MFA/OTP misuse and the attacker leveraging MFA tokens to access internal systems.
- Deepfake-style social engineering and a call back after a fake login helped the attacker obtain an additional MFA token, enabling device addition to Okta and access to GSuite sessions.
- Cloud-synced Google Authenticator MFA tokens meant control of a Google account could grant access to all OTPs, weakening MFA as a defense.
- Retool recommends hardware security keys (FIDO2), human-in-the-loop controls, and stronger threat modeling; on-prem deployments were designed to be zero-trust and insulated from cloud compromises.
- The incident underscores social engineering as a credible risk and the need to address dark patterns in MFA tools and to educate users and build resilient processes.
MITRE Techniques
- [T1566.002] Spearphishing Link β The message contained a url disguised to look like our internal identity portal. βThe message contained a url disguised to look like our internal identity portal.β
- [T1133] External Remote Services β After obtaining credentials, the attacker gained access to the VPN and internal admin systems, enabling remote access into the environment. βThe attacker gained access to our VPN, and crucially, our internal admin systems.β
- [T1078] Valid Accounts β Gaining access using compromised credentials and sessions (Google/Okta) to reach VPN and internal resources. βGetting access to this employeeβs Google account therefore gave the attacker access to all their MFA codes. With these codes (and the Okta session), the attacker gained access to our VPN, and crucially, our internal admin systems.β
- [T1098] Account Manipulation β The attacker changed emails for users and reset passwords, effectively taking over accounts. βthey changed emails for users and reset passwords.β
Indicators of Compromise
- [URL] context β example: https://retool.okta.com.[oauthv2.app]/authorize-client/xxx (phishing portal link used in the SMS lure)
- [Domain] context β examples: retool.okta.com, okta.com (domains referenced in the phishing link and OAuth flow)
Read more: https://retool.com/blog/mfa-isnt-mfa/