In a shocking revelation, it has come to light that the hackers who breached Twilio earlier this month were part of a larger campaign that compromised more than 130 organizations, resulting in the theft of close to 10,000 employee credentials.
The Attack on Twilio
Twilio’s recent network intrusion allowed the hackers to access the data of 125 Twilio customers and companies, including end-to-end encrypted messaging app Signal. The attackers tricked employees into handing over their corporate login credentials and two-factor codes from SMS phishing messages that purported to come from Twilio’s IT department.
The Wider Campaign
Cybersecurity company Group-IB has revealed that the attack on Twilio was part of a wider campaign by the hacking group it’s calling ‘0ktapus.’ A reference to how the hackers predominantly target organizations that use Okta as a single sign-on provider. Group-IB, which launched an investigation after one of its customers was targeted by a linked phishing attack, said in findings shared with TechCrunch that the vast majority of the targeted companies are headquartered in the U.S. or have U.S.-based staff.
The Scale of the Campaign
Group-IB’s findings indicate that the attackers have stolen at least 9,931 user credentials since March. More than half of these credentials contain captured multi-factor authentication codes used to access a company’s network. Roberto Martinez, a senior threat intelligence analyst at Group-IB, noted that "on many occasions, there are images, fonts or scripts that are unique enough that they can be used to identify phishing websites designed with the same phishing kit."
The Phishing Kit
Group-IB discovered an image that is legitimately used by sites leveraging Okta authentication being used by the phishing kit. Martinez explained that "once we located a copy of the phishing kit, we started digging deeper to get a better understanding of the threat. The analysis of the phishing kit revealed that it was poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis."
How the Hackers Obtained Phone Numbers
While it’s still not known how the hackers obtained phone numbers and the names of employees who were then sent SMS phishing messages, Group-IB notes that the attacker first targeted mobile operators and telecommunications companies. It’s possible that they collected the numbers from those initial attacks.
The Victims
Group-IB wouldn’t disclose the names of any of the corporate victims but said the list includes "well-known organizations," most of which provide IT, software development, and cloud services. A breakdown of the victims shared with TechCrunch shows that the threat actors also targeted 13 organizations in the finance industry, seven retail giants, and two video game organizations.
The Telegram Bot
During its investigation, Group-IB discovered that the attackers used a Telegram bot to send SMS phishing messages. Martinez noted that "the use of a Telegram bot is a relatively new tactic, but it’s becoming increasingly common for attackers to use messaging apps as a means of communication."
Conclusion
The breach on Twilio and the subsequent investigation have revealed a wider campaign by the hacking group ‘0ktapus.’ The attack highlights the importance of cybersecurity measures and the need for organizations to be vigilant against phishing attacks. As Martinez noted, "the use of a phishing kit is becoming increasingly sophisticated, and it’s essential that organizations are aware of these tactics to protect themselves from these types of attacks."
Related Articles
- Clop ransomware gang names dozens of victims hit by Cleo mass-hack, but several firms dispute breaches: In this article, we explore the Clop ransomware gang’s claims of breaching dozens of companies using the Cleo network. However, some firms have disputed these claims, highlighting the complexity of cybersecurity incidents.
- PowerSchool data breach victims say hackers stole ‘all’ historical student and teacher data: This article discusses a recent data breach at PowerSchool, where hackers allegedly stole all historical student and teacher data. The incident highlights the importance of robust cybersecurity measures in protecting sensitive information.
- Hackers are exploiting a new Fortinet firewall bug to breach company networks: In this article, we explore how hackers are exploiting a newly discovered vulnerability in Fortinet firewalls to gain unauthorized access to company networks.
Stay Informed
To stay up-to-date with the latest cybersecurity news and trends, follow TechCrunch’s coverage of the industry. Sign up for our newsletters, including TechCrunch Daily News, TechCrunch AI, and Startups Weekly, to receive the latest insights and analysis directly in your inbox.
Subscribe Now
By submitting your email address, you agree to our Terms and Privacy Notice. Don’t miss out on the latest cybersecurity news and trends – subscribe now!