Twilio and Cloudflare are phished
The attacks have been attributed to an unknown sophisticated threat actor
Twilio last week admitted to a breach in which employees were tricked into giving up login credentials that were then used to steal third-party customer data. It described a sophisticated threat actor with deft social engineering skills to conduct SMS-based phishing attacks. It did not mention if the attacker encountered any multi-factor authentication (MFA) roadblocks. Cloudflare also disclosed it was subjected to similar attack and three of its employees fell the scheme, but that the company’s use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.
The attacks involved phishing employees with text messages, pointing them to a link to what appeared to be a company portal designed to look like the legitimate sign-in page and hosted on domains that appeared to belong to Cloudflare and Twilio. They then tricked them into logging into the fake web page, using password expiry notifications as pretexts. The attackers were then able to use credentials and the one-time passwords (OTPs) supplied by the victims to log into the actual site.
The scheme banked on immediately relaying the keyed in credentials and OTPs to the attacker via the messaging service Telegram so that they can use it to authenticate themselves and gain access before the OTP expired. While this method could defeat most two-factor authentication implementations, it fails when phishing-resistant hardware security keys are used, as in the case of Cloudflare.
What’s trending in security?
⚠️ Cisco confirmed a breach of its network, resulting in cyberattackers gaining access to the company’s virtual private network (VPN) and the theft of an unspecified number of files from its network. With access established, the attacker then moved through the network by escalating privileges and installed several tools as part of what appears to be pre-ransomware activity. [The Hacker News]
🌀 Tornado Cash became the second cryptocurrency mixer to be slapped with sanctions by the U.S. government after Blender.io for playing a central role in helping organized criminal gangs launder the proceeds of crime in a way that cannot be traced by standard blockchain tracking techniques. It’s the latest effort on part of the Treasury to expose components of the virtual currency ecosystem used by criminal actors to perpetuate illegal acts. Criminals have long used crypto for illicit activities, but financial transactions are recorded on publicly viewable ledgers called blockchains, allowing law enforcement officials to follow the digital trails. Mixing services like Tornado Cash are designed to make that kind of tracking more difficult, enabling billions of dollars’ worth of cryptocurrency to be laundered through its platform. Tornado Cash is also decentralized, which also makes it resistant to law enforcement shutdown. [The Hacker News]
⚡ Researchers have unearthed a new attack framework, called Manjusaka, which they warn is primed for adoption across the threat landscape. The framework has a freely available command-and-control (C2) and extensive credential theft capabilities, and it was developed with the ability to easily create implants with custom configurations. [The Hacker News]
🔑 Thousands of mobile apps are leaking Twitter API keys — some of which give adversaries a way to access or take over the Twitter accounts of users of these applications and assemble a bot army for spreading disinformation, spam, and malware via the social media platform. The issue has to do with how application developers are embedding the authentication credentials within the mobile applications. [The Hacker News]
🔓 SIKE, one of the late-stage cryptosystem candidates for post-quantum encryption, has been cracked trivially in an hour. Quantum-resistant cryptography has become something of a hot topic, what with the threat posed by quantum computers that they could render current encryption schemes obsolete. While quantum computers are hypothetical at this point, It’s not a matter of “if” but “when” such computers could become a reality and scale enough. [The Hacker News / Ars Technica]
📧 A hacktivist collective named Guacamaya posted more than two terabytes of hacked emails and files from a number of mining companies in Central and South America in an attempt to expose the environment impacts in the region. [CyberScoop]
💲 Nomad and Solana became the latest cryptocurrency platforms to be breached, resulting in theft of $156 million and $5.8 million in digital funds. The Solana hack has been blamed on a private key exploit tied to mobile software wallet Slope. Two other crypto platforms – Reaper Farms and ZBExchange – are also said to have dealt with multimillion-dollar hacks recently. The development comes as attackers have stolen $2 billion in crypto from cross-chain bridges across 13 hacks so far in 2022, accounting for 69% of total funds stolen, according to Chainalysis. [The Record]
🔝 The top malware strains observed in 2021 include Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot, and GootLoader, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC). [CISA]
📰 A collection of 72 news websites operating in the U.S., Europe, Asia, and elsewhere that claim to be independent are part of a massive propaganda effort dubbed “HaiEnergy” to “disseminate content strategically aligned with the political interests of the People’s Republic of China.” The sites are sites are said to be linked to Shanghai Haixun Technology Co., Ltd, a Chinese public relations firm. [Mandiant]
🔍 A prototype of NSO’s Pegasus for Israeli police in 2014 reveals the UI and features, including real-time wiretapping, reading texts, and remote camera control. [Haaretz]
🚩 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) informed organizations of active exploitation of multiple vulnerabilities against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. Chief among them is a security hole tracked as CVE-2022-27924, which is described as a Memcache injection issue and allows an unauthenticated attacker to steal cleartext credentials from a targeted Zimbra instance without any user interaction. Zimbra says its products are used by more than 200,000 organizations worldwide. [The Hacker News / CISA]
❌ Argishti Khudaverdyan, a former owner of a T-Mobile store, has been found guilty of using 50 employees’ work credentials to unlock “hundreds of thousands of cellphones” from August 2014 to June 2019 to illicitly make $25 million. [U.S. Department of Justice]
🚨 Morocco’s national security authorities apprehended a French national, Sebastien Raoult, who is wanted by the U.S. for his alleged role in the ShinyHunters group. [Morocco World News]
⁉️ A security vulnerability on Twitter allowed a bad actor to find out the account names associated with certain email addresses and phone numbers. The vulnerability, which stemmed from an update the platform made to its code in June 2021, went unnoticed until earlier this January, when it patched the issue after receiving a report through its bug bounty program. But unbeknown to the platform, a threat actor managed to exploit the flaw before the fix was put in place. [The Hacker News]
💰 Speaking of Twitter, former Twitter employee Ahmad Abouammo was found guilty of spying for Saudi Arabia after passing on private user information associated with dissidents of the kingdom in exchange for hundreds of thousands of dollars and a $40,000 luxury watch. [The Hacker News]
💥 An automotive supplier had its systems breached and files encrypted by not one but three different ransomware gangs, LockBit, Hive, and ALPHV/BlackCat, over two weeks between May 1 and May 15, two of the attacks happening within just two hours. “Because the Hive attack started two hours after Lockbit, the Lockbit ransomware was still running – so both groups kept finding files without the extension signifying that they were encrypted,” Sophos said. [Sophos / SecurityWeek / Decipher]
✅ GitHub partnered with code-signing service Sigstore to add support for signing NPM software packages to help improve the security of open source projects. The development comes as supply chain attacks are becoming increasingly common and malicious packages are being routinely discovered on open source software repositories. [The Hacker News / WIRED]
🍵 How much is your data worth? According to Tim Hortons, not a lot. The Canadian coffee giant proposed offering impacted customers a free hot drink and a baked good as a settlement in class-action lawsuits filed after the company was alleged to have illegally tracked users’ location through its mobile app users for over a year to serve targeted ads. The development is part of a continuing trend of third-party apps, including those related to daycare, pregnancy, and reproductive health, collecting sensitive information while lacking in strong privacy protections. What’s more, concerns are being raised about connected vehicle and movement data that are gathered by car manufacturers and passed on to other players called “vehicle data hubs.” [Vice / The Markup / Ruhr-Universität Bochum / Mozilla]
📱 A new malware strain called HiddenAds has been found capable of starting on its own after users download one of the affected apps without even launching them. “Most of them are disguising themselves as cleaner apps that delete junk files or help optimize their batteries for device management,” McAfee researchers said. “However, this malware hides and continuously show advertisements to victims.” Top affected countries include South Korea, Japan, and Brazil. [McAfee]
ℹ️ A new large-scale phishing campaign is abusing Google Sites and Microsoft Azure Web App to create fraudulent lookalike sites with the goal of tricking users into downloading rogue apps designed to siphon cryptocurrency wallet data from Coinbase, MetaMask, Kraken, and Gemini. “These phishing pages are linked from the comment sections of other websites, where the attacker adds multiple links to the phishing pages, likely to boost SEO and drive victims directly to these pages,” according to research. “The main goal of this campaign is to steal cryptocurrency exchange accounts or recovery phrases, which allows the attacker to import existing crypto wallets.” [Netskope]
🍁 Canada’s Royal Canadian Mounted Police admitted to deploying spyware to covertly access the encrypted communications of targets as far back as 2002. “As encryption started to be used by targets that we had judicial authorization to intercept, and we were unable to hear the audio, hear the phone calls or see the messages they were sending, that is when we developed the tool and technique to make it possible to intercept those communications,” RCMP’s Mark Flynn was quoted as saying. [Global News]
🗄️ The past two weeks in data breaches, leaks, and ransomware: 7-Eleven, Advanced, Association of German Chambers of Industry and Commerce, Creos Luxembourg S.A., Encevo, HanesBrands, Klaviyo, MBDA, NetStandard, OneTouchPoint, Semikron, Spanish National Research Council, and Wiseasy.