The threat actor behind the Twilio hack used their access to steal one-time passwords (OTPs) delivered over SMS from customers of Okta identity and access management company.
Okta provides its customers with multiple forms of authentication for services, including temporary codes delivered over SMS through Twilio.
With access to the Twilio console, the threat actor could see mobile phone numbers and OTPs belonging to Okta customers.
Using Twilio to search for OTPs
On August 4, cloud communications company Twilio discovered that an unauthorized party gained access to its systems and information belonging to its customers.
At the time, one of the services Okta used for customers opting for SMS as an authentication factor was provided by Twilio.
On August 8, Okta learned that the Twilio hack exposed “unspecified data relevant to Okta” and started to route SMS-based communication through a different provider.
Using internal system logs from Twilio’s security team, Okta was able to determine that the threat actor had access to phone numbers and OTP codes belonging to its customers.
“Using these logs, Okta’s Defensive Cyber Operations’ analysis established that two categories of Okta-relevant mobile phone numbers and one-time passwords were viewable during the time in which the attacker had access to the Twilio console” – Okta
The company notes that an OTP code remains valid for no more than five minutes.
When it comes to the threat actor’s activity in the Twilio console regarding its customers, Okta distinguishes between “targeted” and “incidental exposure” of phone numbers.
The company says that the intruder searched for 38 phone numbers, almost all of them associated with one organization, indicating interest in gaining access to that client’s network.
“We assess that the threat actor used credentials (usernames and passwords) previously stolen in phishing campaigns to trigger SMS-based MFA challenges, and used access to Twilio systems to search for One Time Passwords sent in those challenges” – Okta
The threat actor searched for the 38 Okta-related phone numbers using Twilio’s administrative portals, which showed the most recent 50 messages delivered through Okta’s Twilio account.
This means that hackers could see a larger number of phone numbers. However, Okta’s investigation revealed that the intruder did not use these mobile phone numbers.
An update from Twilio earlier this week revealed that the hacker accessed Authy 2FA accounts and registered their devices to obtain the temporary tokens.
The larger picture
Over the past months, Okta observed the threat actor deploy multiple phishing campaigns to target multiple technology companies, and assigned it the name Scatter Swine.
Scatter Swine is the same adversary behind the 0ktapus phishing campaign reported by cybersecurity company Group-IB and named it so due to its goal to nab Okta identity credentials and two-factor authentication (2FA) codes.
The actor has stolen close to 1,000 logins to get access to corporate networks by sending employees of targeted companies an SMS with a link to a phishing site impersonating an Okta authentication page for the victim organization.
Okta says that Scatter Swine/0ktapus likely uses commercial data aggregation services to collect mobile phone numbers belonging to employees of technology companies, telecommunications providers, and individuals linked to cryptocurrency.
A typical Oktapus attack starts with an SMS to a potential employee delivering a link to a phishing site asking for corporate credentials and then for the 2FA codes.
All the data is delivered to a Telegram account that led Group-IB on a trail to an individual that may be from North Carolina, the U.S., and also has a Twitter and a GitHub account.
In its report this week, Okta notes that apart from delivering SMS phishing in bulk (hundreds of messages), Scatter Swine also called targeted employees (and even their family members) to learn about the authentication process at their company, pretending to be from support.
“The accent of the threat actor appears to be North American, confident and clearly spoken” – Okta
Mitigating 0ktapus attacks
Defending against elaborate social engineering attacks targeting 2FA codes is not easy. The general recommendation is to pay attention to indicators of suspicious emails and phishing sites. Security experts also suggest using a FIDO-compliant security key (U2F).
Implementing authentication policies to restrict user access based on prerequisites tailored for the customer along with alerts when a user’s sign-in process deviates from a previously recorded pattern could also indicate a malicious attempt.
Additionally, Okta advises the following:
Use Network Zones to deny or perform step-up authentication on requests from rarely-used networks and anonymizing proxies
Restrict access to applications to only registered devices or devices managed by endpoint management tools
Restrict access to the most sensitive applications and data using application-specific authentication policies
For customers that want to look for Scatter Swine SMS events (e.g. authentication challenges, password resets or factor enrollment events), Okta has provided a system log query that reveals new devices and network locations for a particular user.
Okta’s report also provides more refined queries that allow customers to check if the messages came through Twilio.