At a glance.
- Okta on Scatter Swine, the threat actor that compromised Twilio.
- Microsoft describes Nobelium's new approach to establishing persistence.
- Russia's war against Ukraine has induced stresses in the cyber underworld.
- LastPass discloses a security incident.
- CISA adds ten entries to its Known Exploited Vulnerabilities Catalog.
Okta on Scatter Swine, the threat actor that compromised Twilio.
Group-IB called the campaign "Oktapus," since one of the threat actors' principal goals in compromising Twilio was to obtain credentials for Okta's identity and access management software. (Twilio, a widely used provider of programmable communications tools, detected the social engineering campaign on August 7th, and provided an update on the 24th.) Okta has since described the campaign, and they're tracking the threat actor as Scatter Swine. Okta has seen Scatter Swine before. "Scatter Swine has directly targeted Okta via phishing campaigns on several occasions, but was unable to access accounts due to the strong authentication policies that protect access to our applications."
Using logs provided by Twilio, Okta's security team "established that two categories of Okta-relevant mobile phone numbers and one-time passwords were viewable during the time in which the attacker had access to the Twilio console. A one-time passcode is valid for five minutes." They determined that there had been two categories of threat activity:
- "A primary category...are those mobile phone numbers the threat actor searched for directly in the Twilio console." In these cases the threat actor was seeking to expand access using credentials stolen in earlier attacks.
- "A secondary category...are mobile phone numbers that can be considered ‘incidental’ to the specific actions or objectives of the threat actor." That is, these were "phone numbers that may have been present in the Twilio portal during the threat actor's limited activity window. Okta's analysis reveals no indication that the threat actor targeted or used such mobile phone numbers."
Okta's account includes a lengthy discussion of the tactics, techniques, and procedures Scatter Swine used, and these are interesting for what they reveal about the conduct of a social engineering attack, about the way in which intelligent use of phishbait and convincing voice imposture combine with commodity phishing kits to harvest user credentials. They also include advice on how an organization can protect itself. Among the sound pieces of counsel is one worth particular attention: "Use Behavior Detection to act (via step-up authentication) or alert (via System Log) when a user’s sign in behavior deviates from a previous pattern of activity. This threat actor is almost always attempting to authenticate from a new device and new IP that has no previous association with the user."