Posted on October 31, 2022 at 8:41 AM
U.S. communications service provider Twilio recently disclosed that it suffered another cyber attack carried out by the same threat actors behind the August hack that led to the unauthorized access of customers’ data. Twilio said the breach occurred on June 29, 2022, two months before the well-documented one in August. But this one was brief and was thwarted quickly.
Twilio explained that in the June incident, the hackers used social engineering techniques on the company’s employees to gain unauthorized access. After the employee provided the login credentials, the criminals were able to gain access to customer contact information for a limited number of customers.
Additionally, the access the threat actors gained after the attack was blocked after 12 hours, and impacted customers were alerted on July 12, 2022.
However, the firm didn’t mention the exact number of customers that were affected by the breach, and why it decided to disclose the incident four months after it occurred.
The August Attack Affected 163 Customers
The San Francisco-based company reported that 163 customers and 93 Authy users were affected by the breach on August 24. Twilio has more than 270,000 customers, but only a few of them were affected. “209 customers had accounts that were impacted by the incident,” Twilio said.
The company says its Authy two-factor authentication (2FA) service has about 75 million total users. Twilio provides personalized customer engagement software to its customers. It assured customers that the console account credentials of Twilio customers were not accessed.
Twilio Has Strengthened Its Security Apparatus
Twilio also announced that it is putting several things in place as a way of protecting the company against future attacks. The firm noted that it is distributing FIDO2-compliant hardware security keys to all employees for added protection. It is also carrying out compulsory security training for employees as well as implementing additional layers of control within its VPN.
According to Twilio, the attack on its systems has been linked to a threat group tracked by Group-IB and Okta, with the name Scatter Swine or 0ktapus. The group is part of a wider and more comprehensive hacking campaign against educational, financial, telecom, and software companies.
The Hackers Had Access Through Employee’s Device
According to the report, attacking chains include the mobile phone numbers of the employees. After identifying their phone numbers, the threat actors call the numbers or send fraudulent SMSes to deceive the employees into clicking on fake login pages. Once the employees follow their request, the hackers proceed to harvest the credentials the employees have entered for later use. The credentials are then analyzed and used to login into the main company’s website.
This is the typical process of a credential harvesting attack where the threat actor finds a way to exploit the targeted company through an employee.
The Threat Actor Had Access Through Administrative Portals
After revealing that the hackers had access on August 7, Twilio stated that the hackers maintained access to the environment for two more days. “The last observed unauthorized activity in our environment was on August 9, 2022,” the firm added.
Once in the system, Twilio said the threat actors had access to customer data via administrative portals, and accessed codes, as well as Authy 2FA, accounts. Twilio also noted that the attackers also tried to get temporary tokens by registering their own devices.
Cloudflare Security System Blocked The Attackers
Twilio was not the only company the attackers targeted in the attack. About 136 organizations are estimated to have been targeted, including Signal, DigitlOcean, MailChimp, Cloudflare, Okta, and Klaviyo.
Cloudflare also disclosed that it suffered a similar SMS phishing attack where its employees’ credentials were stolen. But the company said the threat actors did not succeed in breaching its systems. The hackers’ login attempts were blocked by the FIDO2-compliant hardware security keys. Twilio said following the breaches in June and August, it decided to reset the credentials of all the affected employee accounts. It has also distributed FIDO tokens to all employees.
The credential attack is another reason why organizations need to be very serious about employee education on cybersecurity. Most threat actors usually go through employees in a phishing attack to gain access to the company’s data. On that note, organizations have been asked to ensure proper education of their employees when it comes to protecting their data and credentials online.