+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Twilio Targeted in Latest ‘0ktapus’ Phishing Attacks

A large-scale phishing attack was recently launched against employees at Twilio, a global cloud-based communications and infrastructure company. Phishing text messages were sent to employees, impersonating Twilio’s IT department, with the aim of harvesting employee credentials. These stolen credentials were used to access internal systems, resulting in a breach of confidentiality in which the data in multiple customer accounts was accessed. Twilio first became aware of this breach on 4th August 2022 and published an incident report within the same week, where they stated that a “limited” number of accounts were affected. However, the situation continued to develop, and by the end of August it was revealed that this attack affected not just Twilio customer accounts, but has also been linked to those using Authy (Twilio’s 2FA service), DoorDash, and Okta (hence the nickname: 0ktapus)  

 

The original phishing messages were sent to Twilio employees via SMS, from U.S carrier networks, and the threat actors seemed to be able to match employee phone numbers with their names, in a sophisticated social engineering attack. The messages adopted one of two scams, either claiming to contain a notification from Twilio’s IT department about their password expiring, or notifying them of a schedule change, which they would need to log in to view. Each message contained a URL that the employee would be tricked into clicking. These included key words such as “Twilio,” “Okta,” and “SSO” in order to appear more genuine. The links lead to a malicious landing page which was designed to impersonate Twilio’s login page, where employee credentials were then harvested by the threat actors. 

 

When this attack was first noticed, Twilio worked alongside the SMS carriers and website hosting providers to prevent the sending of these messages and shut down the spoofed web pages. However, the threat actors were able to continue their attack by switching the  carriers and web hosts they were using. This development led to Twilio describing their attackers as “well-organized, sophisticated and methodical in their actions” in their security incident report. Since then, the previously unknown threat actors have been given the name ‘Scatter Swine’, and have been identified as responsible for multiple persistent phishing campaigns, codenamed 0ktapus, targeting technology companies such as Cloudflare, MailChimp, and Klaviyo. Global cybersecurity provider Group-IB have researched the Scatter Swine/0ktapus attacks, and produced a detailed technical blog post, which includes a list of the Indicators of Compromise (IOCs) for this attack. 

 

The attack begins with employees being sent a phishing SMS, with a link to a malicious site. The victim then enters not only their credentials on this fraudulent site, but also any multi-factor authentication (MFA) codes that are needed to proceed with the usual login. Entering an MFA code on the phishing site forces the browser to automatically download AnyDesk.exe which is a remote administration tool. The downloaded version is a legitimate copy of this tool, however researchers have not identified why this was included in the attack. Because the phishing message was sent via SMS, it is likely that the victims would access the link on their mobile phones. This stage of the attack process does not seem to be targeting mobile devices as it involves a remote desktop tool, which Group-IB suggest could mean the threat actors behind this attack are inexperienced.  

 

The phishing site then uses a Telegram bot embedded in the site code to send the captured login credentials and MFA code via a dedicated Telegram channel to the threat actors, who can then use these to access the employee’s account. As the MFA code is only valid for a short period of time, the attackers will have needed to use these stolen credentials as soon as they were received. The threat actors now have the ability to steal data from the company and their customer accounts. They will also attempt to elevate the privilege of their access if possible, in order to obtain even more sensitive data. The gathered information is then exfiltrated and delivered to the threat actors.  

 

It is thought that the main targets behind these attacks were not the customer accounts, but the company themselves. Twilio report that once the attackers had access to their systems, they targeted private data, corporate emails, and internal documents. This information could be used for business intelligence purposes, be sold to competitors, or be held for ransom in a future attack on the same victim. Other targets included financial companies with crypto assets, so money may have also been a motivator for these attacks. Because the first few companies attacked were mobile operators or telecommunications companies it is thought that the mobile numbers of the victims in the later attacks could have been obtained in these initial attacks. This implies 0ktapus is a sophisticated supply chain attack. 

 

Organisations can mitigate the chances of suffering a similar attack by ensuring all employees receive comprehensive training to identify and report phishing attacks. Users should always carefully check the URL on any page they are entering their credentials to confirm it is legitimate. This is especially important for uses with highly privileged accounts. Organisations can reduce the number of these accounts by enforcing a policy of least privilege, where employees are given the minimum access necessary to complete their daily tasks, and highly privileged accounts are not used for other work activities, such as reading emails. Security of MFA can also be increased through the use of physical tokens, such as FIDO2 security keys, for passwordless authentication which is considered to be resistant to phishing attacks. Cloudflare reports that their employees were targeted in the same campaign, but because they use physical tokens not TOTP (Time-based One Time Passwords) delivered by SMS, their employees accounts were protected against this kind of phishing attack. 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.