The Twilio hack is part of a bigger scheme
More than 130 organizations have been targeted as part of a targeted campaign
Last month, Twilio revealed it was targeted in a phishing attack that allowed the attackers to steal employee credentials and one-time passwords. Now, it has come to light the attack is just part of a much larger phishing campaign dubbed ‘0ktapus,’ so named after the threat actor’s targeting of Okta identity management login credentials.
To that end, the threat actor cast a much wider net in their phishing expedition, entangling as many as 135 organizations that are customers of SSO provider Okta. In all, the sprawling campaign enabled the actors to steal 9,331 credentials and 5,441 MFA codes. Other confirmed compromised targets include Cloudflare, Klaviyo, MailChimp, Authy, DoorDash, Okta, and Signal, the latter three of which are secondary victims.
It is still unknown how the fraudsters prepared their list of employee phone numbers to target. But it’s suspected that the threat actors started their attacks by hitting mobile operators and telecommunications companies, potentially enabling them to harvest the numbers from those initial attacks.
The findings show that some of the targets like Twilio were just links in a chain that made it possible for the adversary to easily expand in scale and reach. The supply chain threat is yet another indicator of how even a fractional slice of victims can have an outsized value and influence, not to mention underscore the need to move away from SMS-based authentication.
What’s trending in security?
⚠️ Details emerged about a now-patched flaw in Titam M chips that could be exploited to achieve code execution. Introduced in 2018, Titan M is a system-on-a-chip (SoC) designed to deliver increased security protections to Pixel devices, including guaranteeing secure boot. The issue, tracked as CVE-2022-20233, was addressed as part of June 2022 updates. [Quarkslab]
💲 Brazil’s Federal Police carried out eight search and seizure warrants Tuesday as part of an investigation into attacks claimed by the Lapsus$ Group that disrupted the country’s Ministry of Health last December. [The Record]
↘️ A China-linked threat actor dubbed APT31 has been attributed to spear-phishing attacks on Russian companies to deploy a backdoor dubbed YaRAT, which leverages Yandex Disk as a command-and-control (C2) server, marking a rare instance of a foreign hacking group using a Russian cloud storage service to disguise the traffic. The same actor was previously linked to another backdoor called DropboxAES RAT. [Positive Technologies]
🌐 Third-party VPNs for iPhones and iPads routinely fail to route all network traffic through a secure encrypted tunnel after they have been turned on. As a result, sessions and connections established before the VPN is turned on are not terminated as one would expect, and can still transmit data outside the VPN tunnel while it is active, leaving it potentially unencrypted and exposed to ISPs and other parties. Although Apple appears to be aware of the issue for years, the only workaround is to turn Airplane mode on and off to force all network traffic to be re-established through the VPN tunnel. [Ars Technica]
📲 A new batch of thirty-five malware Android apps that display unwanted advertisements was found on the Google Play Store, with the apps installed over two million times on victims’ mobile devices. [Bitdefender]
📧 The Russian nation-state threat actor known as APT29 is targeting organizations responsible for influencing and crafting the foreign policy of NATO countries. Specifically, this entailed disabling a logging feature called Purview Audit (previously Advanced Audit) to harvest emails from Microsoft 365 accounts. “APT29 continues to demonstrate exceptional operational security and evasion tactics,” the researchers said, adding the group continues to develop its technical tradecraft to prevent analysts from discovering and exposing their attack methods. [Mandiant]
🏛️ A state-sponsored advanced persistent threat (APT) actor called APT42 (formerly UNC788) has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015. The group’s ability to pivot depending on the intentions of the government highlights the versatility and agility in its operations. [The Hacker News]
⚡ A new cyber espionage campaign targeting U.S., Canadian, and Japanese energy providers has been attributed to the North Korean state-sponsored Lazarus hacking group. Pyongyang has long used stolen funds and the theft of other information to meet its operational goals. It also recently turned its attention to blockchain and cryptocurrency organizations. [The Hacker News]
🎞️ Janet Jackson’s Rhythm Nation music video of 1989 has officially been declared a security vulnerability as it freezes some models of hard drives on older computers. Assigned CVE-2022-38392, the vulnerability is a case of Denial-of-Service (DoS), specifically a side-channel attack that causes hard drives of some laptop PCs from 2005 to malfunction and crash. [Bleeping Computer / The Record]
💵 Denis Mihaqlovic Dubnikov, a 29-year-old Russian national, has been extradited from the Netherlands to the U.S., where he faces charges related to his alleged role in the Ryuk ransomware operation. [SecurityWeek]
📸 Over 80,000 Hikvision cameras have been found vulnerable to a critical command injection flaw that’s easily exploitable via specially crafted messages sent to the vulnerable web server. The flaw, tracked as CVE-2021-36260 (CVSS score: 9.8), was addressed by Hikvision via a firmware update in September 2021. Most of these are located in China (12.690), the U.S. (10,611), Vietnam (7,394), the U.K. (4,834), and Ukraine (3,071). [CYFIRMA]
🔑 The U.S. Federal Bureau of Investigation (FBI) raised an alarm for cybercriminals using proxies and configurations to hide and automate credential stuffing attacks against companies in the U.S. “In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts,” the agency said. [FBI]
💎 The North Korean advanced persistent threat (APT) Lazarus is casting a wider net as part of its Operation In(ter)ception campaign to deploy a Mac executable camouflaged as a job description for an engineering manager position at the popular cryptocurrency exchange operator Coinbase to drop a backdoor on compromised systems. The attack, which primarily dangle fake job offers as a lure, is the latest in an ongoing barrage of efforts by Lazarus to generate illicit revenue for the sanctions-hit nation. [The Hacker News]
💥 Former members of the Russia-linked Conti ransomware gang are working in cahoots with an initial access broker (IAB) tracked as UAC-0098 to target Ukraine in a series of phishing campaigns that occurred since the onset of the war. While Conti may have formally disbanded in May following its overt support to Russia, erstwhile members have continued its cybercriminal legacy, remaining as active as ever either as part of other ransomware groups or as independent contractors focused on data theft, extortion, and other criminal endeavors. Another group that has also turned against Ukraine is TrickBot. [The Hacker News]
🔓 Microsoft’s employees were found to have exposed sensitive login credentials to the company’s own infrastructure on GitHub, potentially offering attackers a gateway into internal Microsoft systems. The company has since secured the credentials and stressed it hasn’t seen any evidence the credentials were used improperly. [Vice]
📶 Researchers discovered security flaws in 5G IoT APIs of 10 mobile carriers around the world that could allow attackers to access data or direct access to IoT devices on networks. “Even an average attacker can easily find a RCE and disrupt the operation of billions of IoT devices that tend to rely on the latest mobile networks,” researchers Altaf Shaik and Shinjo Park said. [Black Hat USA / WIRED]
📍 The U.S. Federal Trade Commission (FTC) on Monday announced it has filed a lawsuit against data broker Kochava for selling geolocation data from “hundreds of millions of mobile devices,” which it says could be used to trace the movements of individuals including those to and from sensitive locations. The move signals the agency’s intention to scrutinize the surveillance and data-collection practices of big tech, ad tech companies, and mobile data brokers, whose businesses rely on collecting and reselling data from consumers’ smartphones. The development also comes as the data-broker industry, which gathers, sells or trades location data from mobile phones, is mounting pressure from regulators about their handling of personal information. The lawsuit seeks to halt Kochava’s sale of geolocation data and require the company to delete the information it has collected. [The Hacker News]
✒️ Ink containing a type of polymer called oligourethane that can store data has been used to write a letter containing a hidden message in what’s a novel steganographic technique. [New Scientist / Forbes]
🛡️ A now-patched process injection flaw in macOS (CVE-2021-30873) could have been leveraged to escape the sandbox, elevate privileges to root and bypass the filesystem restrictions of System Integrity Protection (SIP), a key defense designed to stop unauthorized code from accessing sensitive files on a Mac. Apple fixed it in October 2021. [Computest Sector 7]
🚨 Threat actors are increasingly developing, advertising, and using bots to automate the theft of one-time passwords (OTPs), making it easier and cheaper for adversaries to bypass OTP protections at scale. “OTP bypass bots typically function by distributing voice calls or SMS messages to targets, requesting the targets to input an OTP, and, if successful, sending the inputted OTP back to the threat actor operating the bot,” researchers said. What’s more, the bots lower the entry barrier for gaining access to OTP-protected accounts. [Recorded Future]
⬆️ In a tit-for-tat attack, the LockBit ransomware operation’s data leak sites were shut down due to a DDoS attack demanding them to remove Entrust’s allegedly stolen data. [Bleeping Computer]
📨 A sophisticated, advanced business email compromise (BEC) campaign has been found targeting senior executives at organizations using Microsoft 365 with fraudulent login pages designed to steal their credentials and two-factor authentication (2FA) codes. “Leveraging this unrestricted access, the attackers monitor the victim’s email accounts until a substantial transaction is about to happen, and then send a fraudulent email requesting a change of the destination bank account to an account in control of the attackers, effectively stealing those funds,” researchers noted. [Mitiga]
📰 Australian and Malaysian entities have been targeted as part of a sustained cyber espionage campaign by APT40 that delivers the ScanBox exploitation framework through malicious fake Australian news sites. The phishing emails contained a slightly different URL that led to the same page, indicating the threat actors may have tracked its victims rather than use a spray and pray method. Based on recent evidence from the targeting methods and tools, the 2022 campaign is the third phase of the same intelligence-gathering mission the group has been carrying out since March 2021. [The Hacker News]
📢 A relatively new cyber-espionage group called Worok is using an exclusive and custom arsenal of tools and techniques to compromise companies and governments in Southeast Asia, the Middle East, and southern Africa, with attacks aimed at collecting intelligence from targeted organizations. [The Hacker News]
🎣 A new service called EvilProxy offers threat actors the ability to generate phishing links on the fly that can act as a proxy to trick users into divulging their login credentials and even steal two-factor authentication tokens. The toolset represents an evolution in phishing strategies, offering a pathway to orchestrate campaigns at scale. [The Hacker News]
🚦 Yandex confirmed hackers created a traffic jam in Moscow on September 1 by ordering dozens of taxis from Yandex Taxi to converge on the same location. [Vice]
🚩 An Iranian developer of a previously undocumented remote access trojan named CodeRAT released the malware source code on GitHub. “CodeRAT is using a unique exfiltration and command and control mechanism,” researchers said. “Instead of using a dedicated C2 server, CodeRAT is using a public anonymous file upload API.” [SafeBreach]
🗄️ The past few weeks in data breaches, leaks, and ransomware: Accelya, Portugal’s Armed Forces General Staff, Baker & Taylor, Block, Center Hospitalier Sud Francilien, Damart, Desfa, EdFinancial, Entrust, Gestore dei Servizi Energetici SpA, Dominican Republic’s Instituto Agrario Dominicano, InterContinental Hotels Group, IRS, Argentina’s Judiciary of Córdoba, KeyBank, Los Angeles Unified, MBDA Missile Systems, Nelnet Servicing, North Face, Plex, Samsung, San Francisco 49ers, Sferra Fine Linens, South Staffordshire Water, TAP Air Portugal, and government websites belong to Chile and Montenegro.