A large-scale phishing attack was recently launched against employees at Twilio, a global cloud-based communications and infrastructure company. Phishing text messages were sent to employees, impersonating Twilio’s IT department, with the aim of harvesting employee credentials. These stolen credentials were used to access internal systems, resulting in a breach of confidentiality in which the data in multiple customer accounts was accessed. Twilio first became aware of this breach on 4th August 2022 and published an incident report within the same week, where they stated that a “limited” number of accounts were affected. However, the situation continued to develop, and by the end of August it was revealed that this attack affected not just Twilio customer accounts, but has also been linked to those using Authy (Twilio’s 2FA service), DoorDash, and Okta (hence the nickname: 0ktapus)  

 

The original phishing messages were sent to Twilio employees via SMS, from U.S carrier networks, and the threat actors seemed to be able to match employee phone numbers with their names, in a sophisticated social engineering attack. The messages adopted one of two scams, either claiming to contain a notification from Twilio’s IT department about their password expiring, or notifying them of a schedule change, which they would need to log in to view. Each message contained a URL that the employee would be tricked into clicking. These included key words such as “Twilio,” “Okta,” and “SSO” in order to appear more genuine. The links lead to a malicious landing page which was designed to impersonate Twilio’s login page, where employee credentials were then harvested by the threat actors. 

 

When this attack was first noticed, Twilio worked alongside the SMS carriers and website hosting providers to prevent the sending of these messages and shut down the spoofed web pages. However, the threat actors were able to continue their attack by switching the  carriers and web hosts they were using. This development led to Twilio describing their attackers as “well-organized, sophisticated and methodical in their actions” in their security incident report. Since then, the previously unknown threat actors have been given the name ‘Scatter Swine’, and have been identified as responsible for multiple persistent phishing campaigns, codenamed 0ktapus, targeting technology companies such as Cloudflare, MailChimp, and Klaviyo. Global cybersecurity provider Group-IB have researched the Scatter Swine/0ktapus attacks, and produced a detailed technical blog post, which includes a list of the Indicators of Compromise (IOCs) for this attack. 

 

The attack begins with employees being sent a phishing SMS, with a link to a malicious site. The victim then enters not only their credentials on this fraudulent site, but also any multi-factor authentication (MFA) codes that are needed to proceed with the usual login. Entering an MFA code on the phishing site forces the browser to automatically download AnyDesk.exe which is a remote administration tool. The downloaded version is a legitimate copy of this tool, however researchers have not identified why this was included in the attack. Because the phishing message was sent via SMS, it is likely that the victims would access the link on their mobile phones. This stage of the attack process does not seem to be targeting mobile devices as it involves a remote desktop tool, which Group-IB suggest could mean the threat actors behind this attack are inexperienced.  

 

The phishing site then uses a Telegram bot embedded in the site code to send the captured login credentials and MFA code via a dedicated Telegram channel to the threat actors, who can then use these to access the employee’s account. As the MFA code is only valid for a short period of time, the attackers will have needed to use these stolen credentials as soon as they were received. The threat actors now have the ability to steal data from the company and their customer accounts. They will also attempt to elevate the privilege of their access if possible, in order to obtain even more sensitive data. The gathered information is then exfiltrated and delivered to the threat actors.  

 

It is thought that the main targets behind these attacks were not the customer accounts, but the company themselves. Twilio report that once the attackers had access to their systems, they targeted private data, corporate emails, and internal documents. This information could be used for business intelligence purposes, be sold to competitors, or be held for ransom in a future attack on the same victim. Other targets included financial companies with crypto assets, so money may have also been a motivator for these attacks. Because the first few companies attacked were mobile operators or telecommunications companies it is thought that the mobile numbers of the victims in the later attacks could have been obtained in these initial attacks. This implies 0ktapus is a sophisticated supply chain attack. 

 

Organisations can mitigate the chances of suffering a similar attack by ensuring all employees receive comprehensive training to identify and report phishing attacks. Users should always carefully check the URL on any page they are entering their credentials to confirm it is legitimate. This is especially important for uses with highly privileged accounts. Organisations can reduce the number of these accounts by enforcing a policy of least privilege, where employees are given the minimum access necessary to complete their daily tasks, and highly privileged accounts are not used for other work activities, such as reading emails. Security of MFA can also be increased through the use of physical tokens, such as FIDO2 security keys, for passwordless authentication which is considered to be resistant to phishing attacks. Cloudflare reports that their employees were targeted in the same campaign, but because they use physical tokens not TOTP (Time-based One Time Passwords) delivered by SMS, their employees accounts were protected against this kind of phishing attack.