Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Twilio, Cloudflare Attacked in Campaign That Hit Over 130 Organizations

The attacks disclosed recently by Twilio and Cloudflare were part of a massive phishing campaign that targeted at least 130 other organizations, according to cybersecurity company Group-IB.

The attacks disclosed recently by Twilio and Cloudflare were part of a massive phishing campaign that targeted at least 130 other organizations, according to cybersecurity company Group-IB.

Enterprise communications firm Twilio and web security company Cloudflare reported earlier this month that their employees had fallen for SMS-based phishing messages whose goal was to trick them into handing over their credentials.

Twilio said the attackers were successful in obtaining employee credentials, which they used to access internal systems and customer data. In an update shared on August 24, Twilio said the incident impacted 163 of its 270,000 customers, as well as 93 of the 75 million individual Authy users.

Authy is Twilio’s two-factor authentication (2FA) solution and the attackers registered additional devices to the compromised Authy accounts.

Secure communications firm Signal was one of the impacted Twilio customers. The company said 1,900 of its users were impacted by the incident, with the attackers attempting to re-register these users’ phone numbers to new devices.

Cloudflare admitted that some of its employees fell for the phishing attempts, but said the attackers could not get past 2FA, which leverages physical security keys.

Cloudflare phishing by 0ktapus

According to Group-IB, these attacks were part of a massive phishing campaign that has been active since at least March 2022. The company said on Thursday that the attackers have managed to compromise nearly 10,000 accounts at more than 130 organizations.

The campaign is tracked by Group-IB as 0ktapus — the name is related to the attackers mainly targeting Okta identity service credentials. In addition to Okta credentials, they were looking to obtain 2FA codes.

The hackers sent out phishing SMS messages to the target’s employees in an effort to lure them to fake Okta login pages. Once the credentials were harvested, they would be used by the threat actor to access internal systems and sensitive customer data.

Group-IB says it’s unclear how the employee phone numbers were obtained, but it believes the attackers also targeted mobile operators and telecoms companies to achieve this goal.

The stolen data is sent by the phishing pages to a Telegram channel controlled by the attacker. On this channel, researchers discovered 9,931 credentials, including 3,129 records with emails and 5,441 with 2FA codes.

An analysis of the data revealed 136 victim organizations, including 114 in the United States. The other victims appear to be spread out across tens of other countries. Many victims are in the software, telecom, business services, and finance sectors.

“Seeing financial companies in the compromised list gives us the idea that the attackers were also trying to steal money. Furthermore, some of the targeted companies provide access to crypto assets and markets, whereas others develop investment tools,” Group-IB said in a blog post.

“Based on recent news about hacked Signal accounts, we can assume the fraudsters may try to get access to private conversations and data. That information can be used as business intelligence and reselled to the victim’s competitors or could be used to ransom a victim,” it added.

Group-IB suggested that recently disclosed breaches at marketing companies Mailchimp and Klaviyo were part of supply chain attacks that were subsequently launched as part of the 0ktapus campaign.

The cybersecurity firm has also looked at clues pointing to the identity of the threat actor, which led them to an individual whose social media accounts suggested he was based in the US, specifically North Carolina. The identity of the individual has not been made public, but Group-IB has been known to have helped authorities identify cybercriminals so it’s likely that the company has shared its findings with law enforcement.

Related: Cryptocurrency Services Hit by Data Breach at CRM Company HubSpot

Related: Microsoft, Okta Confirm Data Breaches Involving Compromised Accounts

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.