A fresh investigation into the phishing campaign that targeted Twilio and Cloudflare in July has revealed that more than 130 organisations had been affected since the initial attack.
Nearly 10,000 user credentials were stolen in the campaign, which started in March 2022, as well as more than 5,000 multi-factor authentication (MFA) codes, primarily across the software, telecoms, finance, and business services industries.
The investigation launched by Group-IB also showed that most targets were based in the US, although Canada, various European countries, Costa Rica, and Australia were affected in a smaller way.
The researchers didn’t share the names of the affected companies, other than those that have already disclosed the attacks, although some are thought to be large and well-known.
All victims were targeted because they were customers of identity and access management provider Okta; imitation Okta authentication sites were used in each attack.
“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organisations,” said the researchers in a blog post.
“Furthermore, once the attackers compromised an organisation they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”
Despite the scale and high degree of planning involved in the phishing campaign, the researchers said the threat actor may have been “inexperienced” - a conclusion made on the basis of the ‘improperly’ configured phishing kit used.
Escape the ransomware maze
Conventional endpoint protection tools just aren’t the best defence anymore
The researchers said they were confused about why the attack chain involved the downloading of remote desktop control software AnyDesk since it wasn’t used anywhere in the hackers’ resulting activity.
Once victims inputted their MFA codes into the fake Okta phishing site, the AnyDesk installer would download although it was never used, indicating that it was a feature of the phishing kit that was not disabled before launching the attacks, the researchers suggested.
The abnormality could also be explained by the phishing kit’s comparative lack of sophistication, the researchers said.
The kit itself didn’t offer the same level of real-time interactivity features as more modern, technically advanced kits do, meaning the hackers were having to continuously monitor their tools for the MFA codes to come in and use them manually before they expired.
The information gathered by the phishing tools was sent to an attacker-controlled Telegram channel, which the researchers were able to locate by analysing the phishing site’s Django backend.
The information seen in the channel revealed the near 10,000 stolen credentials and showed how the attackers were mainly attempting to access private data, corporate emails, and internal documents.
Only a handful of the total 130+ companies breached in the campaign have revealed the extent of their impact.
Twilio was the first to detail its incident, while Cloudflare, which was attacked at the same time, blogged about how it was able to fend off the attack thanks to its company-wide FIDO2-compliant hardware-based authentication strategy.
Secure messaging platform Signal later revealed it believed around 1,900 of its customers were also impacted by Twilio’s breach.
On 8 August, Mailchimp said it was breached as attackers aimed to gather information on cryptocurrency-related companies that use its email platform.
DigitalOcean later realised that some of its customers’ email addresses may have been exposed as a result of Mailchimp’s breach, too.
