Media company Twilio suffered a breach in early August that it said affected 163 of its client organizations. Of Twilio’s 270,000 customers, 0.06% may seem trivial, but the company’s specific role in the digital ecosystem means that that fraction of the victims has unsurpassed value and influence. Secure messaging app SignalTwo-factor authentication app Authy and authentication company Okta are both customers of Twilio who were the second victims of the breach.
Twilio provides application programming interfaces through which companies can automate calling and messaging services. This means a system that barbers use to remind customers of a haircut and ask them to text back “Confirm” or “Cancel”. But it can also be the platform through which organizations manage their two-factor authentication text messaging systems to send one-time authentication codes. Although it has long been known that SMS is an insecure way to receive these codes, it’s definitely better than nothing, and organizations can’t leave practice entirely. Even a company like Authy, whose core product is an authentication token generator, uses some of Twilio’s services.
The Twilio attack campaign, by an actor known as “0ktapus” and “Scatter Swine”, is significant because it illustrates that phishing attacks can not only give attackers access to valuable access to the target network that they can even launch supply chain attacks where access to a company’s systems provides a window into their customers’ systems.
“I think this is going to be one of the more complex long-term hacks in history,” said a security engineer, who requested anonymity. “It was a patient attack that was super-widely targeted but still widespread. Create multi-factor authentication, create the world. “
Attackers have infiltrated Twilio as part of a massive phishing campaign designed specifically to fight more than 130 organizations in which the attackers sent phishing SMS messages to employees at the targeted companies. The texts are often said to come from the company’s IT department or logistics team, and encourage recipients to click the link and update their password or log in to review schedule changes. Twilio says that malicious URLs contain words like “Twilio,” “Okta,” or “SSO” to make the malicious URL and landing page it links to appear more legitimate. The attackers also targeted internet infrastructure company Cloudflare in their campaign, but the company speak in early August that it had not been compromised because of restrictions on employee access and the use of physical authentication keys for login.
“The biggest takeaway here is the fact that SMS was used as the initial attack vector,” said Crane Hassold, director of threat intelligence at Abnormal Security and former FBI digital behavior analyst. in this campaign instead of email. “We are already starting to see more actors leaving email as their original target, and as text message alerts become more common in organizations, it will make these types of phishing messages a success. more work. Anecdotally, I get text messages from various companies with which I do business all the time, and that was not the case a year ago.”
