The communication company Twilio suffered a breach in early August that it says affected 163 of its customer organizations. Of Twilio’s 270,000 customers, 0.06 percent may seem trivial, but the company’s particular role in the digital ecosystem meant that this fractional portion of victims had outsized value and influence. Secure messaging app Signal, two-factor authentication app Authy, and authentication company Okta are all Twilio customers that were secondary victims of the breach.
Twilio provides application programming interfaces through which businesses can automate calling and texting services. This could mean a system that a barber uses to remind customers about haircuts and have them text back “Confirm” or “Cancel.” But it can also be the platform through which organizations manage their two-factor authentication text messaging systems to send one-time authentication codes. While SMS has long been known to be an insecure way to receive these codes, it’s definitely better than nothing, and organizations haven’t been able to get away from the practice entirely. Even a company like Authy, whose main product is an authentication code generation app, uses some of Twilio’s services.
The Twilio hacking campaign, by an actor who has gone by the names “0ktapus” and “Scatter Swine,” is significant because it illustrates that phishing attacks can not only provide attackers with valuable access to a target network, but which can even initiate supply chain attacks. in which access to a company’s systems provides a window into those of its customers.
“I think this will go down as one of the most sophisticated long-form hacks in history,” said a security engineer who asked not to be named because his employer contracts with Twilio. “It was a patient hack that was very targeted but broad. Pwn multifactor authentication, pwn the world.”
The attackers compromised Twilio as part of a massive but personalized phishing campaign against more than 130 organizations in which the attackers sent phishing SMS text messages to employees of the targeted companies. The texts often claimed to be from a company’s IT department or logistics team and prompted recipients to click a link and update their password or log in to review a schedule change. Twilio says the malicious URLs contained words like “Twilio,” “Okta” or “SSO” to make the URL and the malicious landing page it linked to appear more legitimate. The attackers also targeted Internet infrastructure company Cloudflare in their campaign, but the company said in early August that it was not engaged because of its limits on employee access and use of physical authentication keys for logins.
“The biggest point here is the fact that SMS was used as the initial attack vector in this campaign rather than email,” says Crane Hassold, director of threat intelligence at Abnormal Security and former FBI Digital Behavior Analyst. “We’ve started to see more actors move away from email as initial targeting and as text message alerts become more common in organizations, it will make these types of phishing messages more successful. Anecdotally , I get text messages from different companies that I do business with all the time now, and that wasn’t the case a year ago.”