"More Than 130 Organizations Affected by 'Inexperienced' Twilio Hackers"
According to a new investigation into the phishing campaign that targeted Twilio and Cloudflare in July, more than 130 organizations have been affected since the initial attack. In the campaign, which began in March 2022, nearly 10,000 user credentials were stolen, as well as over 5,000 multi-factor authentication (MFA) codes, primarily from the software, telecommunications, finance, and business services industries. The Group-IB investigation also revealed that most targets were based in the US, with Canada, various European countries, Costa Rica, and Australia being less impacted. Other than those that have already disclosed the attacks, the researchers did not reveal the names of the affected companies, though some are thought to be large and well-known. All victims were targeted because they used the Identity and Access Management (IAM) provider Okta, as each attack used fake Okta authentication sites. This case has garnered much interest because it was able to compromise a large number of well-known organizations despite using low-skill methods. Furthermore, once the attackers gained access to an organization, they were able to quickly pivot and launch subsequent supply chain attacks, indicating that the attack was meticulously planned in advance. Despite the scale and degree of planning involved in the phishing campaign, the researchers concluded that the threat actor was "inexperienced" based on the 'improperly' configured phishing kit used. The researchers were confused as to why the attack chain included downloading remote desktop control software AnyDesk, which was never used in the hackers' following activity. When victims entered their MFA codes into the fake Okta phishing site, the AnyDesk installer would download, although it was never used, showing that it was a feature of the phishing kit that was not disabled before launching the attacks, the researchers suggested. This article continues to discuss new findings surrounding the phishing campaign that targeted Twilio and Cloudflare.
ITPro reports "More Than 130 Organizations Affected by 'Inexperienced' Twilio Hackers"