Twilio Hackers Scarf 10K Okta Credentials in Sprawling Provide Chain Assault

The hackers who breached Twilio and Cloudflare in early August additionally infiltrated greater than 130 organizations in the identical marketing campaign, vacuuming up practically 10,000 units of Okta and two-factor authentication (2FA) credentials.

That is in keeping with an investigation by Group-IB, which discovered that a number of well-known organizations had been among the many targets of a large phishing marketing campaign it calls 0ktapus. The lures had been easy, like pretend notifications that customers wanted to reset their passwords. They had been despatched through textual content messages with hyperlinks to static phishing websites that mirror every particular group’s Okta authentication web page.

“Regardless of utilizing low talent strategies, [the group] was in a position to compromise numerous well-known organizations,” the researchers stated in a weblog publish as we speak. fastidiously deliberate upfront.”

Such was the case with the Twilio leak that occurred on August 4. The attackers had been in a position to social engineer a number of workers into handing over their Okta credentials used for organization-wide single sign-on, permitting them to realize entry to inside programs, functions, and buyer information. The breach affected some 25 subsequent organizations that use Twilio’s telephone verification and different companies, together with Sign, which launched a press release confirming that the telephone numbers of some 1,900 customers could have been hijacked within the incident.

Nearly all of the 130 firms attacked had been SaaS and software program firms within the US, which isn’t shocking given the character of the assault’s provide chain.

For instance, further victims of the marketing campaign embrace e mail advertising firms Klaviyo and Mailchimp. In each circumstances, the criminals took the names, addresses, emails, and telephone numbers of their cryptocurrency-related clients, together with Mailchimp’s shopper DigitalOcean (which subsequently eliminated the supplier).

Within the case of Cloudflare, some workers fell for it, however the assault was thwarted due to bodily safety keys issued to all workers which can be required to entry all inside functions.

Lior Yaari, CEO and co-founder of Grip Safety, notes that the scope and reason behind the breach continues to be unknown past Group IB’s findings, so further victims may come to mild.

“Figuring out all customers of a SaaS software isn’t at all times simple for a safety staff, particularly the place customers use their very own usernames and passwords,” he warns. “Shadow SaaS discovery isn’t a easy downside, however there are answers that may uncover and reset consumer passwords for Shadow SaaS.”

Is it time to rethink IAM?

Total, the success of the marketing campaign illustrates the issue with counting on people to detect social engineering and the gaps in current id and entry administration (IAM) approaches.

“The assault demonstrates how fragile IAM is as we speak and why the business ought to take into consideration eradicating the burden of worker logins and passwords which can be prone to social engineering and complex phishing assault,” says Yaari. “The most effective proactive remediation effort firms can do is to have customers reset all of their passwords, particularly Okta.”

The incident additionally alerts that firms are more and more counting on their workers’ entry to cell terminals to be productive within the trendy distributed workforce, making a wealthy new phishing floor for attackers like 0ktapus actors, in keeping with Richard Melick, director of menace reporting at Zimperium.

“From phishing to community threats, from malicious apps to compromised gadgets, it’s vital that companies acknowledge that the cell assault floor is the most important unprotected vector for his or her information and entry,” he wrote in an emailed assertion. .