- The threat actor behind the Aug. 4 phishing attack against Twilio gained access to the phone numbers and text messages containing one-time passwords of multiple Okta customers. Okta, in an update last week, disclosed it was one of the 163 Twilio customers impacted by the attack.
- Once the threat actor gained access to Twilio’s internal systems, they performed searches in Twilio’s administrative portal for messages sent using Okta’s Twilio account. “The threat actor specifically searched for 38 unique phone numbers in the Twilio console, nearly all of which can be linked to a single targeted organization,” Okta wrote in its blog post.
- Twilio notified Okta that “unspecified data” was exposed four days after it first became aware of the attack. Okta rerouted text message communications to another provider after it was informed of the compromise.
The phishing attack against Twilio continues to unravel, as more victims are discovered and come forward with details about various levels of exposure. The incident bears the markings of a persistent and sophisticated campaign that engulfed IT service providers, which can lead the threat actor to additional downstream targets.
The threat actor exploited usernames and passwords stolen in previous phishing campaigns to trigger text-message authentication processes, and used its access to Twilio’s systems to search for one-time passwords sent as a result of those two-factor authentication requests, according to Okta.
A “small number” of customers were notified about the potential impact, and Okta emphasized the one-time passwords expire after five minutes.
Okta investigated internal system logs provided by Twilio and determined primary and secondary customer data was exposed during the attack. This included phone numbers belonging to Okta customers the threat actor searched for directly, and “incidental” phone numbers that were subsequently exposed but not specifically targeted by the threat actor.
The threat actor took no action to intentionally access the incidental phone numbers, and did not target or use that exposed data belonging to Okta customers, according to Okta. The company said Okta usernames are not visible in Twilio logs.
Okta, which refers to the persistent phishing campaign as “Scatter Swine” instead of the “Oktapus” moniker dubbed by cybersecurity vendor Group-IB, said the threat actor targeted multiple technology companies for months.
The adversary, which first initiated the attacks in March, has compromised almost 10,000 user credentials across 136 organizations, according to Group-IB. This includes text message phishing attacks that allowed it to steal Okta identity credentials and authentication codes, the researchers said.
While Okta admits some phone numbers and one-time passwords have been exposed, it asserts no accounts were accessed by the threat actor.
“Scatter Swine has directly targeted Okta via phishing campaigns on several occasions but was unable to access accounts due to the strong authentication policies that protect access to our applications,” Okta said.
Okta earlier this year initially denied then later admitted it was breached by the extortion group Lapsus$. The group gained access to Okta data through a third-party vendor then published screenshots to boast of the exploit and goad Okta’s response.
Okta detailed many of Scatter Swine’s tactics, techniques and procedures to help other organizations with threat hunting activities.
The threat actor sometimes calls targeted individuals and impersonates support in a bid to understand how authentication works, according to Okta. Targets thus far include technology companies, telecommunications providers and organizations or individuals linked to cryptocurrency.