IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

More than 130 organisations affected by “inexperienced” Twilio hackers

A thorough investigation revealed sophisticated methods coupled with relatively unsophisticated tooling

A fresh investigation into the phishing campaign that targeted Twilio and Cloudflare in July has revealed that more than 130 organisations had been affected since the initial attack.

Nearly 10,000 user credentials were stolen in the campaign, which started in March 2022, as well as more than 5,000 multi-factor authentication (MFA) codes, primarily across the software, telecoms, finance, and business services industries.

The investigation launched by Group-IB also showed that most targets were based in the US, although Canada, various European countries, Costa Rica, and Australia were affected in a smaller way.

The researchers didn’t share the names of the affected companies, other than those that have already disclosed the attacks, although some are thought to be large and well-known.

All victims were targeted because they were customers of identity and access management provider Okta; imitation Okta authentication sites were used in each attack.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organisations,” said the researchers in a blog post.

“Furthermore, once the attackers compromised an organisation they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

Despite the scale and high degree of planning involved in the phishing campaign, the researchers said the threat actor may have been “inexperienced” - a conclusion made on the basis of the ‘improperly’ configured phishing kit used.

Related Resource

Escape the ransomware maze

Conventional endpoint protection tools just aren’t the best defence anymore

Whitepaper cover with overhead image of a man sat at a deska with a computer in the centre of a maze in the shadowsFree Download

The researchers said they were confused about why the attack chain involved the downloading of remote desktop control software AnyDesk since it wasn’t used anywhere in the hackers’ resulting activity.

Once victims inputted their MFA codes into the fake Okta phishing site, the AnyDesk installer would download although it was never used, indicating that it was a feature of the phishing kit that was not disabled before launching the attacks, the researchers suggested.

The abnormality could also be explained by the phishing kit’s comparative lack of sophistication, the researchers said.

The kit itself didn’t offer the same level of real-time interactivity features as more modern, technically advanced kits do, meaning the hackers were having to continuously monitor their tools for the MFA codes to come in and use them manually before they expired.

The information gathered by the phishing tools was sent to an attacker-controlled Telegram channel, which the researchers were able to locate by analysing the phishing site’s Django backend.

The information seen in the channel revealed the near 10,000 stolen credentials and showed how the attackers were mainly attempting to access private data, corporate emails, and internal documents.

Only a handful of the total 130+ companies breached in the campaign have revealed the extent of their impact.

Twilio was the first to detail its incident, while Cloudflare, which was attacked at the same time, blogged about how it was able to fend off the attack thanks to its company-wide FIDO2-compliant hardware-based authentication strategy.

Secure messaging platform Signal later revealed it believed around 1,900 of its customers were also impacted by Twilio’s breach.

On 8 August, Mailchimp said it was breached as attackers aimed to gather information on cryptocurrency-related companies that use its email platform.

DigitalOcean later realised that some of its customers’ email addresses may have been exposed as a result of Mailchimp’s breach, too.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Larger monitors aren't all they're cracked up to be
monitors

Larger monitors aren't all they're cracked up to be

3 Dec 2022
Microsoft: Russia increasingly timing cyber attacks with missile strikes in Ukraine
cyber warfare

Microsoft: Russia increasingly timing cyber attacks with missile strikes in Ukraine

5 Dec 2022