Twilio hackers breached over 130 organizations throughout months-long hacking spree – TechCrunch

The hackers that breached Twilio earlier this month additionally compromised over 130 organizations throughout their hacking spree that netted the credentials of near 10,000 workers.

Twilio’s current community intrusion allowed the hackers entry the info of 125 Twilio prospects and firms — including end-to-end encrypted messaging app Signal — after tricking workers into handing over their company login credentials and two-factor codes from SMS phishing messages that purported to return from Twilio’s IT division. On the time, TechCrunch realized of phishing pages impersonating different corporations, together with a U.S. web firm, an IT outsourcing firm and a customer support supplier, however the scale of the marketing campaign remained unclear.

Now, cybersecurity firm Group-IB says the assault on Twilio was a part of a wider marketing campaign by the hacking group it’s calling “0ktapus,” a reference to how the hackers predominantly goal organizations that use Okta as a single sign-on supplier.

Group-IB, which launched an investigation after considered one of its prospects was focused by a linked phishing assault, mentioned in findings shared with TechCrunch that the overwhelming majority of the focused corporations are headquartered within the U.S. or have U.S.-based workers. The attackers have stolen no less than 9,931 person credentials since March, in line with Group-IB’s findings, with greater than half containing captured multi-factor authentication codes used to entry an organization’s community.

“On many events, there are photos, fonts, or scripts which are distinctive sufficient that they can be utilized to establish phishing web sites designed with the identical phishing package,” Roberto Martinez, a senior risk intelligence analyst at Group-IB, informed TechCrunch. “On this case, we discovered a picture that’s legitimately utilized by websites leveraging Okta authentication, being utilized by the phishing package.”

“As soon as we positioned a replica of the phishing package, we began digging deeper to get a greater understanding of the risk. The evaluation of the phishing package revealed that it was poorly configured and the way in which it had been developed offered a capability to extract stolen credentials for additional evaluation,” mentioned Martinez.

Whereas it’s nonetheless not recognized how the hackers obtained cellphone numbers and the names of workers who have been then despatched SMS phishing messages, Group-IB notes that the attacker first focused cellular operators and telecommunications corporations and “might have collected the numbers from these preliminary assaults.”

Group-IB wouldn’t disclose the names of any of the company victims however mentioned the record consists of “well-known organizations,” most of which offer IT, software program improvement and cloud providers. A breakdown of the victims shared with TechCrunch exhibits that the risk actors additionally focused 13 organizations within the finance business, seven retail giants, and two online game organizations.

Throughout its investigation, Group-IB found that code within the hacker’s phishing package revealed configuration particulars of the Telegram bot that the attackers used to drop compromised knowledge. (Cloudflare first revealed using Telegram by the hackers.) Group-IB recognized one of many Telegram group’s directors who goes by the deal with “X,” whose GitHub and Twitter handles counsel they could reside in North Carolina.

Group-IB says it’s not but clear if the assaults have been deliberate end-to-end upfront or whether or not opportunistic actions have been taken at every stage. “Regardless, the 0ktapus marketing campaign has been extremely profitable, and the total scale of it might not be recognized for a while,” the corporate added.

The Moscow-founded startup Group-IB was co-founded by Ilya Sachkov, who was the corporate’s chief govt till September 2021 when Sachkov was detained in Russia on expenses of treason after allegedly transferring categorised info to an unnamed international authorities, claims Sachkov denies. Group-IB, which has since moved its headquarters to Singapore, maintains the co-founder’s innocence.