It is now no secret that Twilio, a cloud communications company, and Cloudflare, a content delivery network and DDoS mitigation company, had their internal systems breached after bad actors stole employee credentials in phishing attacks, gaining access to customers’ data.
What’s interesting is both attacks were executed via SMS. In 2021, data indicated that 96% of phishing attacks arrive by email. Another 3% are carried out through malicious websites, and just 1% via phone.
Twilio, whose news broke first, became aware of the attack on August 4 but declined to provide more information when asked how many employees had their accounts compromised in the phishing attack and how many customers were affected by the breach.
Cloudflare, which announced its breach on August 9, shared that some employees’ credentials were also stolen in an SMS phishing attack similar to the one that led to Twilio’s network breach.
In both phishing attacks, the adversaries impersonated the company’s IT department.
For Twilio, it asked them to click URLs containing Twilio, Okta, and SSO keywords that would redirect them to a Twilio sign-in page clone. The messages then baited Twilio’s employees into clicking the embedded links by warning them that their passwords had expired or were scheduled to be changed.
In Cloudflare’s case, after entering credentials on the phishing pages, AnyDesk remote access software was automatically downloaded on employee computers to allow the threat actors to take control of their computers remotely if installed.
“This is a storybook case of the damage phishing links can do,” Jeannie Warner, director of product marketing, Exabeam. “Compromised credentials are often derived from a URL in a phishing message. A carefully crafted message containing the malicious link is sent to an unsuspecting employee. As soon as it’s clicked, the cycle of information loss and damage begins. Any company should aim to nip this problem early on by identifying and alerting these malicious links.”
Warner went on to say, “There are many public and commercial data providers that offer blacklisting services or databases for potential phishing domains/URL lookups. However, like any signature-based approach, newly-crafted phishing URLs cannot be identified this way. New machine learning approaches can actually flag a suspicious phishing URL previously unknown to blacklist data providers and should be considered by frequently targeted industries, such as technology and communications providers. Innovative organizations need a modern approach to securing their environments in order to spot these types of attacks quickly. To help achieve this, machine learning-powered SIEM, automated investigation and response tools, and UEBA technology should absolutely be part of their security stack.”
As phishing attacks employ more sophisticated disguises, companies must increase security to prevent data loss and financial loss.
PlainID’s CTO and co-founder, Gal Helemski stated that exact reason as to why phishing attacks are so prevalent.
“Phishing attacks remain one of the most popular methods of attacks used by cyber adversaries. It is primarily due to how easy it is to trick a human compared to a sophisticated cyber solution. Thus, it is time to reinforce all security infrastructure,” she said. “When it comes to internal breaches where networks are compromised, identity is still the number one challenge. Organizations must adopt a “Zero Trust” approach, which means trusting no one – not even known users or devices – until they have been verified and validated. Zero Trust provides that layer of defense that is unrivaled when it comes to defending internal systems.”
Neil Jones, director of cybersecurity evangelism at Egnyte suggested an improved education on how these social engineering threats can be used, as the evolution of bad actors is happening at a rapid pace, and old education may not be keeping up with the attacks that are inbound.
“The alleged cyber-attacks remind us that organizations’ IT security programs are only as strong as their weakest links. Here, we see how social engineering and “smishing” tactics can lead to fraudulent account access and ultimately impact a brand’s reputation. The situation also demonstrates that users have a more intimate technical relationship with their mobile devices, making mobile-based attacks much more impactful on end-users. In addition to general cybersecurity awareness training, anti-phishing education and restricting access to company data based on a user’s “Business Need to Know” are powerful deterrents. You also need to re-educate your company’s users that phishing attacks don’t occur only by e-mail.”
CISCO’s 2021 Cybersecurity threat trends report suggests that at least one person clicked a phishing link in around 86% of organizations. The company’s data indicates that phishing accounts for approximately 90% of data breaches.
Helemski went on to explain why access policies and authorization are so important.
“Access Policies and Dynamic Authorizations are a crucial part of the zero-trust architecture; they help to verify who is requesting access, the context of the request, and the risk of the access environment. You cannot control human cyber hygiene and thus the power of verification is demonstrated. Organizations need a more focused strategy oriented on purchasing the highest reward tools. Identity and authorization are where the smart money should be going. If we assume adversaries are already in the network, it makes sense to focus budgets on restricting movement inside the network.”
Tim Prendergast, CEO of strongDM, agreed with Helemski on the importance of access management, suggesting a re-evaluation of applications and infrastructure to secure access.
“The breaches that gave hackers access to customers’ data highlights how crucial strong access management and infrastructure are to maintain strong security,” he said. “Attackers are relentlessly looking for ways into internal systems because it grants them a VIP pass into databases, and servers and access to everything companies don’t want leaked publicly. Once attackers get those valid credentials, they can wreak havoc internally. In this case, we’re seeing that SMS phishing messages baited employees into clicking links that warned them of password changes. The first step here is, rather than point fingers, because in truth this could have happened to anyone, that it is important for CISOs to re-evaluate the visibility and control of access across both applications and infrastructure.”
Other experts, such as Arti Raman, CEO & Founder, of Titaniam, suggested a bit of a different approach–neutralization.
“As this incident proved, despite security protocols put in place, information can be accessed using privileged credentials, allowing access to hackers to steal underlying data,” Raman said. “The most effective solution for keeping customer PII safe and minimizing the risk of extortion is data-in-use encryption, also known as encryption-in-use. Encryption-in-use provides enterprises with unmatched immunity to data-focused cyberattacks. Should adversaries gain access to data by any means, data-in-use encryption keeps the sensitive information encrypted and protected even when it is actively being utilized. This helps neutralize all possible data-related leverage and dramatically limits the impact of a data breach.”
Whatever approach companies choose to take, whether neutralization, education, or prevention, it is apparent these steps need to be taken sooner rather than later as these bad actors continue to wreak havoc, looking to pull in the biggest fish they can.