The Communications company Twilio announced that it suffered another “brief security incident” on June 29, 2022, the attack was conducted by the same threat actor that in August compromised the company and gained access to customers’ and employees’ information.
“Our investigation also led us to conclude that the same malicious actors likely were responsible for a brief security incident that occurred on June 29, 2022. In the June incident, a Twilio employee was socially engineered through voice phishing (or “vishing”) to provide their credentials, and the malicious actor was able to access customer contact information for a limited number of customers.” reads the update to the incident report provided by the company. “The threat actor’s access was identified and eradicated within 12 hours.”
In June, threat actors obtained the credentials of a Twilio employee through a ‘vishing‘ attack, then used it to access customer contact information for a limited number of customers. The company already notified impacted customers on July 2, 2022, at this time the exact number of impacted customers was not revealed.
The unauthorized access was identified and thwarted within 12 hours.
At the end of August, a security firm revealed that the threat actors behind the attacks on Twilio and Cloudflare have been linked to a large-scale phishing campaign that targeted 136 organizations. Most of the victims are organizations providing IT, software development, and cloud services.
The campaign, codenamed 0ktapus, resulted in the compromise of 9,931 accounts, 3120 compromised user credentials with email.
Threat actors behind the 0ktapus campaign aimed at obtaining Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations. Then the attackers could gain unauthorized access to any enterprise resources by using this information.
Experts pointed out that despite using low-skill methods, threat actors were able to compromise a large number of well-known organizations. The experts speculate that the attack was planned carefully in advance because once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks.
The threat actors targeted employees of companies that are customers of IAM leader Okta, the attack chain started with text messages sent to the victims containing links to phishing sites that mimicked the Okta authentication page of the respective targeted entities.
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Twilio)