Phishers who hit Twilio and Cloudflare stole 10,000 credentials from 136 others
Phishers who hit Twilio and Cloudflare stole 10,000 credentials from 136 others
Enlarge / Definitely not a Razer mouse, but you get the idea.
calvio via Getty Images
Two weeks ago, Twilio and Cloudflare detailed a phishing attack so methodical and well-orchestrated that it caused employees of both companies to reveal their account credentials. In Twilio's case, the attack bypassed its 2FA protection and gave threat actors access to its internal systems. Today, researchers uncovered evidence that the attacks were part of a massive phishing campaign that obtained nearly 10,000 account credentials belonging to 130 organizations.
Based on the disclosures provided by Twilio and Cloudflare, it was already clear that the phishing attacks were executed with near-surgical precision and planning. Somehow, the threat actor had obtained the private phone numbers of employees and, in some cases, their family members. The attackers then sent text messages urging employees to log into what appeared to be their employer's legitimate authentication page.
Within 40 minutes, 76 Cloudflare employees received the text message, which included a domain name registered only 40 minutes earlier, defeating the safeguards the company put in place to detect sites impersonating its name. The phishers also used a proxy site to perform real-time hijackings, a method that allowed them to capture the one-time passcodes that Twilio used in its 2FA checks and enter them on the real site. Almost immediately, the malicious actor used his access to Twilio's network to obtain the phone numbers belonging to 1,900 Signal Messenger users.
Unprecedented scale and scope
A report released Thursday by security firm Group-IB says an investigation it conducted on behalf of a client uncovered a much larger campaign. Dubbed "0ktapus", he used the same techniques over the past six months to target 130 organizations and successfully phished 9,931 credentials. The threat actor behind the attacks has amassed no less than 169 unique internet domains to trick its targets. The sites, which included keywords such as "SSO", "VPN", "MFA" and "HELP" in their domain names, were all created using the same previously unknown phishing kit.< /p>
"The investigation revealed that these phishing attacks as well as the incidents at Twilio and Cloudflare were links in a chain: a simple but highly effective phishing campaign, unprecedented in its scale and scope, active since at least March 2022." The IB group researchers wrote. "As the Signal revelations showed, once attackers compromised an organization, they were able to quickly pivot and launch subsequent supply chain attacks."
They continued:
Although the threat actor was lucky in his attacks, it is much more likely that he carefully planned his phishing campaign to launch sophisticated supply chain attacks. It is not yet clear if the attacks were planned from start to finish in advance or if opportunistic actions were taken at every stage. Either way, the 0ktapus campaign has been incredibly successful, and the scale of it might not be known for some time.
Group-IB has not identified any of the compromised companies, except to say that at least 114 of them are located or have a presence in the United States. Most targets provide IT, software development, and cloud services. Okta revealed in a post on Thursday that he was among the victims.
The phishing kit led investigators to a Telegram channel that threat actors used to bypass 2FA protections that rely on one-time passwords. When a target entered a username and password on the fake site, that information was immediately relayed over the channel to the threat actor, who then entered it on the real site. The fake site would then ask the target to enter the one-time passcode. When the target ran, the code was sent to the attacker, allowing them to enter it on the real site before the code expired.
Group-IB's investigation revealed details of one of the channel's admins who uses the pseudonym X. Following this lead led to a Twitter and...
Enlarge / Definitely not a Razer mouse, but you get the idea.
calvio via Getty Images
Two weeks ago, Twilio and Cloudflare detailed a phishing attack so methodical and well-orchestrated that it caused employees of both companies to reveal their account credentials. In Twilio's case, the attack bypassed its 2FA protection and gave threat actors access to its internal systems. Today, researchers uncovered evidence that the attacks were part of a massive phishing campaign that obtained nearly 10,000 account credentials belonging to 130 organizations.
Based on the disclosures provided by Twilio and Cloudflare, it was already clear that the phishing attacks were executed with near-surgical precision and planning. Somehow, the threat actor had obtained the private phone numbers of employees and, in some cases, their family members. The attackers then sent text messages urging employees to log into what appeared to be their employer's legitimate authentication page.
Within 40 minutes, 76 Cloudflare employees received the text message, which included a domain name registered only 40 minutes earlier, defeating the safeguards the company put in place to detect sites impersonating its name. The phishers also used a proxy site to perform real-time hijackings, a method that allowed them to capture the one-time passcodes that Twilio used in its 2FA checks and enter them on the real site. Almost immediately, the malicious actor used his access to Twilio's network to obtain the phone numbers belonging to 1,900 Signal Messenger users.
Unprecedented scale and scope
A report released Thursday by security firm Group-IB says an investigation it conducted on behalf of a client uncovered a much larger campaign. Dubbed "0ktapus", he used the same techniques over the past six months to target 130 organizations and successfully phished 9,931 credentials. The threat actor behind the attacks has amassed no less than 169 unique internet domains to trick its targets. The sites, which included keywords such as "SSO", "VPN", "MFA" and "HELP" in their domain names, were all created using the same previously unknown phishing kit.< /p>
"The investigation revealed that these phishing attacks as well as the incidents at Twilio and Cloudflare were links in a chain: a simple but highly effective phishing campaign, unprecedented in its scale and scope, active since at least March 2022." The IB group researchers wrote. "As the Signal revelations showed, once attackers compromised an organization, they were able to quickly pivot and launch subsequent supply chain attacks."
They continued:
Although the threat actor was lucky in his attacks, it is much more likely that he carefully planned his phishing campaign to launch sophisticated supply chain attacks. It is not yet clear if the attacks were planned from start to finish in advance or if opportunistic actions were taken at every stage. Either way, the 0ktapus campaign has been incredibly successful, and the scale of it might not be known for some time.
Group-IB has not identified any of the compromised companies, except to say that at least 114 of them are located or have a presence in the United States. Most targets provide IT, software development, and cloud services. Okta revealed in a post on Thursday that he was among the victims.
The phishing kit led investigators to a Telegram channel that threat actors used to bypass 2FA protections that rely on one-time passwords. When a target entered a username and password on the fake site, that information was immediately relayed over the channel to the threat actor, who then entered it on the real site. The fake site would then ask the target to enter the one-time passcode. When the target ran, the code was sent to the attacker, allowing them to enter it on the real site before the code expired.
Group-IB's investigation revealed details of one of the channel's admins who uses the pseudonym X. Following this lead led to a Twitter and...
Enlarge / Definitely not a Razer mouse, but you get the idea.
calvio via Getty Images
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
