The recent Twilio assault exposed client mobile phone numbers and SMS messages, including one-time passwords, according to an announcement made this week by Okta, a provider of identity and access management (OTPs). Twilio, a provider of business communications services, said at the beginning of August that it had been penetrated as a result of a worker providing their login credentials to a knowledgeable threat actor after falling for a phishing scheme.
Due to the problem, 163 Twilio customers’ information was accessible to attackers; secure communications firms Signal and Okta have already reported being impacted. An extensive campaign that encompassed more than 130 other targets and online security provider Cloudflare also targeted Twilio. The cybersecurity company Group-IB has named the initiative 0ktapus. A knock also came for the food delivery firm DoorDash.
According to Okta, which names the threat actor behind these attacks Scatter Swine, it is typical to see “Scatter Swine continually targeting the same organizations with multiple phishing sites within a matter of hours.” Okta asserts to have seen the adversary’s phishing infrastructure in operation. The business claims that during the Twilio assault, a small number of mobile phone numbers and SMS messages with OTPs—which are only valid for five minutes—could have been accessed. According to the company, all impacted consumers have been notified.
Other exposed phone numbers were merely “incidental” to the operation, but the threat actor specifically searched the Twilio console for particular phone numbers. According to Okta, “the threat actor searched for 38 different phone numbers on the Twilio dashboard, practically all of which may be connected to a single targeted organization.”
Okta asserts that the threat actor most likely used compromised credentials to launch SMS-based MFA challenges and exploited their access to the Twilio interface to hunt for OTPs.
“This conduct led to the second set of compromised mobile phone numbers. Phone numbers that might have been on the Twilio website within the threat actor’s confined activity window are referred to as incidental in this situation, according to Okta.
The threat actor may look through a list of the 50 most recent messages sent with Okta’s Twilio account when performing searches in the console. The company asserts that it has no proof that the intruder used or targeted these phone numbers or any other information made available via the Twilio administration website. Okta has released details on the techniques, methods, and procedures (TTP) utilized by Scatter Swine, including their use of infrastructure provided by Bitlaunch and that of domain name registrars Namecheap or Porkbun. The threat actor used phishing to directly attack Okta.
