0ktapus/‘Scatter Swine’ Hacking Gang Stole 10,000 Corp Logins via Twilio
More on the Twilio débâcle from earlier this month: Researchers reveal the hackers swiped at least 9,931 user credentials from more than 130 organizations.
It looks like their aim was to launch software supply chain attacks. But the researchers called the techniques “low-skill,” which rather gives the lie to Twilio’s defense of “a sophisticated social engineering attack.”
And what’s with the silly names? 0ktapus? Scatter Swine? In today’s SB Blogwatch, we dream of eight-legged pigs.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Tiny dead wasp noms.
Stop SMS 2FA Already
What’s the craic? Carly Page reports—“Twilio hackers breached over 130 organizations”:
“0ktapus”
The hackers that breached Twilio earlier this month also compromised more than 130 organizations during their hacking spree that netted the credentials of close to 10,000 employees [says] Group-IB. … While it’s still not known how the hackers obtained phone numbers and the names of employees who were then sent SMS phishing messages … the attacker first targeted mobile operators and telecommunications companies.
…
The attackers have stolen at least 9,931 user credentials since March. … It’s not yet clear if the attacks were planned end-to-end in advance or whether opportunistic actions were taken at each stage.
…
The attack on Twilio was part of a wider campaign by the hacking group … “0ktapus,” a reference to how the hackers predominantly target organizations that use Okta as a single sign-on provider.
Any other silly names? Ask Ionut Ilascu—“Okta one-time MFA passcodes exposed”:
“Scatter Swine”
Okta provides its customers with multiple forms of authentication for services, including temporary codes delivered over SMS through Twilio. With access to the Twilio console, the threat actor could see mobile phone numbers and OTPs belonging to Okta customers … (an OTP code remains valid for no more than five minutes). … Using Twilio’s administrative portals … the intruder searched for 38 phone numbers, almost all of them associated with one organization, indicating interest in gaining access to that client’s network.
…
[They] also called targeted employees (and even their family members) to learn about the authentication process at their company, pretending to be from support. … Defending against elaborate social engineering attacks targeting 2FA codes is not easy. The general recommendation is to pay attention to indicators of suspicious emails and phishing sites. Security experts also suggest using a FIDO-compliant security key (U2F).
…
Over the past months, Okta observed the threat actor deploy multiple phishing campaigns to target multiple technology companies, and assigned it the name Scatter Swine.
What else did Group-IB say? Roberto Martinez and Rustam Mirkasymov cook up a page—“Roasting 0ktapus”:
“MFA can appear secure but …”
Our client was only one of several well-known organizations that were targeted in a massive phishing campaign codenamed 0ktapus. … The initial objective of the attackers was clear: obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations.
…
Despite using low-skill methods it was able to compromise a large number of well-known organizations … located mostly in the United States. … Most companies in the victims’ list are providing IT, software development, and cloud services. … Once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks.
…
Security measures such as MFA can appear secure but it is clear that attackers can overcome them with relatively simple tools. … Always check—carefully—the URL. … If in doubt, forward them to your security team for analysis. … Implement a FIDO2-compliant security key. … If you think your credentials might have been compromised, immediately change your password, sign off from all active sessions, and report the incident.
And Okta? The mysterious Defensive Cyber Operations team blog—“Detecting Scatter Swine”:
“Defense in depth”
In recent months, a number of technology companies were subject to persistent phishing campaigns by a threat actor we refer to as “Scatter Swine.” … Twilio provides one of two services Okta leverages for customers that choose to use SMS as an authentication factor.
…
[Our] analysis established that … Okta-relevant mobile phone numbers and one-time passwords were viewable during the time in which the attacker had access to the Twilio console. … The threat actor likely harvests mobile phone numbers from commercially available data aggregation services that link phone numbers to employees at specific organizations. … The accent of the threat actor appears to be North American, confident and clearly spoken.
…
We recommend that customers embrace a “defense in depth” approach to protecting user accounts from phishing attacks. Use strong authenticators [and] train users to identify indicators of suspicious emails, phishing sites and common social engineering techniques.
Why do services still rely on SMS 2FA? latteland simply despairs:
We know from other endless attacks, it’s not that hard to steal people’s phone numbers and text messages by getting the phone companies to register a new SIM on your account with a fake request. All the sites that are set to use … SMS are actually major attack vectors.
But Otis B. Dilroy III blames anyone relying on services such as Okta and Twilio:
When are people going to learn? When you outsource any part of your corporate effort, you are buying from vendors whose sole interest in your organization is as a profit center.
…
This means:
They hire the cheapest employees they can get and treat them like ****.
No corner is left uncut.
The contract that you have to sign, if truly read and interpreted, removes them from virtually all legal liability.
They are as sloppy as they can get in terms of security, customer service, and honesty.
They will monetize any information which they can extract from your organization as a matter of policy.
Do the users share responsibility? Yes, but Norman Nescio blames the email clients:
Yes, anyone with any nous knows not to click on links in emails. … But email clients encourage you to click links, because they render HTML emails, and your muscle memory from using web-browsers is that clicking links is safe. … People will click on them and get phished. It is not a people problem, it is a technical problem.
…
The email clients should not allow links to be clicked in emails. Doing so should give a pop-up saying that clicking links in emails is highly inadvisable, and preventing follow through.
And what’s all this about strong authenticators and FIDO2? SeanJW explains:
The attack bypassed … 2FA, as that can just be MITM’d and forwarded fine. Hardware keys using something like FIDO/Webauthn can’t be bypassed that way as the fake domain doesn’t match what the hardware key setup is configured for.
Meanwhile, this Anonymous Coward translates Okta’s and Twilio’s PR:
“Don’t look at us! We didn’t do nuffink wrong! Look at them evil bogeymen rampaging through our poor downtrodden networks! Not our fault we didn’t secure nuffink!”
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: A.S. Packard (public domain)
