The latest revelation on the phishing campaign to compromise Twilio employees’ login accounts is a reminder that multifactor authentication for protecting logins can be by-passed if the systems behind it aren’t secure.
Twilio is a service that acts as a bridge between the internet and phone networks. It can, for example, help product purchasers communicate with customer support through email, text, and phone messages. Used by many major companies, it’s an ideal target for a supply chain attack by threat actors to get into the IT systems of its customers.
The evidence comes in a summary from identity and access provider Okta of how it was caught up in the Twilio phishing scam earlier this month. Some of Twilio’s customers use Okta for multifactor authentication. Among other things, the report shows that IT and security leaders have to think carefully before trusting SMS text-based two-factor authentication to protect their systems from being hacked.
In the report Okta acknowledged that a “small number” of mobile phone numbers of Twilio customers, as well as SMS messages with one-time passwords for 2FA codes sent to those devices, were accessible to the threat actor who got into Twilio employees’ consoles earlier this month.
It isn’t known how many people’s logins were compromised by the attacker’s ability to see their 2FA codes. Otka notes that a one-time passcode is valid for only five minutes.
Otka offers customers a number of options for two-factor and multifactor authentication. Cybersecurity experts agree that SMS-based authentication is better than none. But they also say app-based authentication — like Google Authenticator, Twilio’s Authy, Microsoft Authenticator or Cisco Systems’ Duo — is more secure from being intercepted.
However, the security of any solution depends on its entire process. The proof: Twilio has acknowledged that in the August phishing campaign the hackers accessed the accounts of 93 individual Authy users. Using that access, the hackers registered mobile devices they owned on those compromised accounts, so they were able to receive any Authy 2FA codes sent until Twilio cut them off.
In its report last week, Okta said on August 8th Twilio notified it that a number of Twilio customer accounts and internal applications were accessed after some of its staff fell for text-based phishing scams. These messages convinced the Twilio employees to click on a link to re-confirm their corporate access. That led to the downloading of malware on their devices.
Using Twilio logs, Okta’s defensive cyber operations team realized that two categories of Okta-relevant mobile phone numbers and one-time passwords were viewable during the time in which the attacker had access to the Twilio console. One group consisted of 38 mobile phone numbers the threat actor searched for directly in the Twilio console. The hacker used credentials previously stolen in phishing campaigns to trigger SMS-based MFA challenges, and used access to Twilio systems to search for one-time passwords sent in response to those challenges.
The second category of exposed mobile phone numbers was what Okta calls “incidental” to this activity — meaning they may have been present in the Twilio portal during the threat actor’s “limited activity window.” Okta doesn’t believe the hacker targeted or used those mobile phone numbers.
Okta says the threat actor involved in this attack has been seen in other phishing campaigns, and has been dubbed “Scatter Swine.” It has directly targeted Okta in phishing campaigns on several occasions without success, the company said.
This threat actor sends phishing lures in bulk to individuals in targeted organizations via text messages on their smartphones. Sometimes repeated MFA push messages are sent to employees, hoping they will authenticate a message just to stop the annoying texts.”We are aware of multiple instances where hundreds of messages were sent to employees and even to family members of employees,” adds the report. “The threat actor likely harvests mobile phone numbers from commercially available data aggregation services that link phone numbers to employees at specific organizations.” It also calls targeted individuals and impersonates IT support trying to understand how authentication works in the targeted organization.
Cybersecurity expert Roger Grimes has repeatedly warned IT leaders that MFA solutions aren’t iron-clad and can be bypassed under certain conditions.
Okta says organizations should consider using strong authenticators with the most phishing-resistant properties, such as WebAuthn, U2F keys (such as YubiKeys) and smart cards. They should also train users to identify indicators of suspicious emails, phishing sites, and common social engineering techniques used by attackers.
Employees should also be warned of the risks of publishing their contact details on the internet.