We know that the patched security hacks are just temporary, and can be the victim again when there is a way for that with Cybercriminals. Attackers always stay active to get the chance for exploiting vulnerabilities in any organization’s system or software.
A long ago, you heard about Twilio becoming the victim of an adversary’s attack and that was vicious of them to get the best out of tactics to snap Twilio into the whirlpool of traps. Twilio users were relieved when they got the patch and the data was safe until now.
Now! What again? Did something happen to Twilio again? Yeah! Not only Twilio but other companies were also the victim of the familiar threat. So, what’s this threat, and how does it happen to make its way into the database of these companies? Let’s talk about this.
Last Week, Twilio
Disclosed that it was breached by strong and resourced phishers. These people used their access to breach 163 customers’ data.
Security firm Group-IB,
It faced a similar threat incident when Twilio was having issues with data access due to a phishing attack. A total number of at least 136 companies were in similar advanced attacks.
- Twilio-owned Authy
- Password Manager LastPass,
- Food Delivery Network DoorDash
These three companies in recent days were caught in an incident that related to data breaches. It appears that the one who attacked them was using the same technique in each of the attacks.
Authentication service Okta and secure messenger provider Signal,
They both have the same saying as their data was hacked as a result of the Twilio breach. Twilio got into the spotlight again because of this breach. As it doesn’t take only a single company but also includes others in this list.
A total of 136 companies were victimized by the same adversary as Twilio. DoorDash is one of them, a company representative has told TechCrunch.
Jetlag like Situation
Compromising Authy and LastPass in this event is too stressful. That’s because both companies are well established, providing services to a big group of people. Moreover, that big of a data pile is not something to take so carelessly. Let’s see what both companies have to say about it.
“It stores 2FA tokens for 75 million users. Given the passwords, the cybercriminal has already obtained them in previous breaches. These tokens might be the only ones saving more accounts from getting in control of the adversaries.
Related News here:
The adversary utilized its keys to log in to only 93 individual accounts and synced new devices capable of collecting OTPs. The threat is more dangerous depending on the accounts’ users. Authy has since removed suspicious devices from connected accounts.”
The adversary gets unauthorized access via a single victimized developer a/c to portions of the password manager’s development environment. After that, the adversary “took parts of source code and some proprietary LastPass technical data.”
The things that remain untouched were:
- Master passwords,
- Encrypted passwords
- Other data stored in customer accounts,
- Customers’ personal data
There the data of LastPass that was the victim of this attack wasn’t that much confidential. Any breach that involves a major password management provider is risky, related to how much data it keeps.
Scatter Swine came into the spotlight which points out the fact that the one who was involved in the attack-related data breach was none other than Scatter Swine itself. The information that was released due to the event were:
- An undisclosed number of customers
- Their names,
- Email addresses
- Delivery addresses,
- Phone numbers,
- Partial payment card numbers
The threat actor obtained names, phone numbers, and email addresses from an undisclosed number of DoorDash contractors.
Scenario of Attack
In reports, the phishing attack on Twilio was very well-versed and organized with surgical precision. The adversaries had the personal contact info of employees. 1696+ counterfeit domains impersonating Okta and other security providers. Plus, they have the 2FA protection layers that use OTPs.
|The threat actor’s ability to leverage data obtained in one breach to wage supply-chain attacks against the victims’ customers—and its ability to remain undetected since March—demonstrates its resourcefulness and skill.|
This is common for organizations that disclose breaches. After which, in two or more weeks they add some details to the incidents to spread awareness about how the things happened in a sequence. There won’t be any surprise if any more victims come out to alert others.
If we point at the lesson, we learned from this incident then it would be that every 2FA isn’t the same and safe as you consider one for you. The OTPs sent via SMS, or created via authenticator apps are potential enough to get phished as the passwords. This is what makes it possible for adversaries to bypass the last security layer to get to our accounts.
An organization that was on target, but fortunately didn’t become a victim was none other than Cloudflare.
Employees of Cloudflare relied on 2FA with the use of physical keys like Yubikeys. It can’t be phished that easily, and that tags some other FIDO2-compliant forms of 2FA too.
*This post has been rewritten throughout to correct the relationship of the new breaches to the previously disclosed compromise of “Twilio”.
Watch more latest news: