Defend Zero Day Attacks

Garner holistic visibility across development and deployment life cycle. Mitigate risks proactively to foil attacks with our most advanced and sophisticated CNAPP product.

Open Source

AccuKnox is the first 5G Security-ORAN to be published on Nephio

From fortifying the control plane to addressing vulnerabilities in the data plane, read the white paper and discover the crucial steps we need to take in order to enhance the security of 5G networks.

Cloud Native Security Redefined

Accelerate your cloud journey with our battle-tested expertise, delivering a comprehensive zero trust framework that safeguards cloud infrastructure and applications from targeted attacks.

Open Source

KubeArmor is now certified Redhat Openshift Operator

Embracing the Power of Open Source: We are proud to contribute to the open-source community, allowing businesses to leverage the strength of KubeArmor to safeguard their containerized environments.

Twilio & Cloudflare… A Tale of Two Attacks

by | Sep 28, 2022

Reading Time: 3 minutes

Earlier this quarter, highly sophisticated phishing attacks were performed on over 135+ organizations. In this blog, we will discuss different phishing mechanisms that were leveraged by attackers to gain unauthorized access. We discuss this specifically in the context of Twilio & Cloudflare’s attacks.

“The attacks were part of a massive phishing campaign, that had netted almost 10,000 account credentials belonging to 130 organizations” – Reports Group-IB

What happened?

Twilio, a Cloud communication platform as a Service (CPaaS) was attacked by a sophisticated social engineering phishing attack. Around the same time in July 2022, Cloudflare saw an attack with very similar characteristics targeting Cloudflare’s employees.

The attackers behind the cyberattack attempts on Twilio and Cloudflare had cast a much wider net in their phishing expedition, targeting as many as 135 organizations—primarily IT, software development, and cloud services providers based in the US. The initial objective of the attackers was clear in 2 aspects:

  1. To obtain Okta identity credentials
  2. To obtain two-factor authentication (2FA) codes from users of the targeted organizations.

Twilio has now issued an updated advisory saying that a small number of users of Authy – which is Twilio’s free two-factor authentication app – are based on further forensic work. Twilio said it has identified a total of 163 customers whose data was accessed by intruders.

“Our investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users, out of a total of approximately 75 million users, and registered additional devices to their accounts,” Twilio said.

Real-Time Phishing

It appears that the attacker received the credentials in real time, entered them in a victim company’s actual login page, and generated a code sent to the employee via SMS or displayed on a password generator. The employee would then enter the TOTP (Time-based One Time Password) code on the phishing site, and it too would be relayed to the attacker. The attacker could then, before the TOTP code expired, use it to access the company’s actual login page — defeating most two-factor authentication implementations.

PhishingFlow

Phishing Text Messages

The Cloudflare Security team received reports of employees receiving legitimate-looking text messages pointing to what appeared to be a Cloudflare Okta login page. The messages began at 2022-07-20 22:50 UTC. Over the course of less than 1 minute, at least 76 employees received text messages on their personal and work phones. The text messages received by employees looked like this:

SampleCloudflareSMSphishing
SampleTwiliosPhishingSMSmes

The phishing pages were designed to look identical to legitimate Okta login pages. The phishing page prompted anyone who visited it for their username and password. If the user clicked on the link it took to a phishing page. The URLs used words including “cloudflare-okta“ “twilio-okta” “Okta” and “SSO” (as shown in the above-attached sample SMS screenshots) to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s & Cloudflare sign-in page.

The text messages originated from U.S. carrier networks. The phishing page was hosted on DigitalOcean and looked like this:

SampleImgCloudflarePhishing

Summary

The methods used by this threat actor are not unique by any means, but the planning and how the attacker pivoted from one company to another makes the phishing campaign worth looking into. This showcases how vulnerable modern organizations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their employees, customers, and partners.

About AccuKnox

AccuKnox‘s Zero Trust Cloud Native Application Protection Platform (CNAPP) is built in partnership with SRI and is anchored on seminal patented inventions in the areas of Container Security, Anomaly Detection, and Data Provenance. AccuKnox delivers comprehensive Zero Trust security for Networks, Applications (K8, VM), and Data across Cloud, IoT/Edge, and 5G environments, and AccuKnox can be deployed in Public and Private Cloud environments. AccuKnox is a core contributor to the Kubernetes Runtime Security platform, and AccuKnox’s CNCF project, KubeArmor, has received 180,000+ downloads. Visit www.accuknox.com or follow us on Twitter (@accuknox).

Please enable JavaScript in your browser to complete this form.
We protect your organization against current and emerging threats with Zero Trust Cloud Security Solutions
Potential of CSPM: Answering the Market’s Demands

Potential of CSPM: Answering the Market’s Demands

Cloud security has gained prominence in a time of complex multi-cloud architectures and increased online threats. CSPM tools are essential for businesses looking to strengthen their cloud security procedures because they provide essential features and ready-made solutions for cloud security. Discover the four essential steps to improving your cloud security posture.

read more