It
is now no secret that Twilio, a cloud communications
company, and Cloudflare, a content delivery network
and DDoS mitigation company, had their internal systems breached after bad
actors stole employee credentials in phishing attacks, gaining access to
customers' data.
What's
interesting is both attacks were executed via SMS. In 2021, data indicated that 96% of phishing
attacks arrive by email. Another 3% are carried out through malicious websites,
and just 1% via phone.
Twilio,
whose news broke first, became aware of the attack on August 4 but declined to
provide more information when asked how many employees had their accounts
compromised in the phishing attack and how many customers were affected by the
breach.
Cloudflare,
which announced its breach on August 9, shared that some employees' credentials
were also stolen in an SMS phishing attack similar to the one that led to
Twilio's network breach.
In
both phishing attacks, the adversaries impersonated the company's IT
department.
For
Twilio, it asked them to click URLs containing Twilio, Okta, and SSO keywords
that would redirect them to a Twilio sign-in page clone. The messages then
baited Twilio's employees into clicking the embedded links by warning them that
their passwords had expired or were scheduled to be changed.
In
Cloudflare's case, after entering credentials on the phishing pages, AnyDesk
remote access software was automatically downloaded on employee computers to
allow the threat actors to take control of their computers remotely if
installed.
"This
is a storybook case of the damage phishing links can do," Jeannie Warner,
director of product marketing, Exabeam. "Compromised credentials
are often derived from a URL in a phishing message. A carefully crafted message
containing the malicious link is sent to an unsuspecting employee. As soon as
it's clicked, the cycle of information loss and damage begins. Any company
should aim to nip this problem early on by identifying and alerting these malicious
links."
Warner
went on to say, "There are many public and commercial data providers that offer
blacklisting services or databases for potential phishing domains/URL lookups.
However, like any signature-based approach, newly-crafted phishing URLs cannot
be identified this way. New machine learning approaches can actually flag a
suspicious phishing URL previously unknown to blacklist data providers and
should be considered by frequently targeted industries, such as technology and
communications providers. Innovative organizations need a modern approach to
securing their environments in order to spot these types of attacks quickly. To
help achieve this, machine learning-powered SIEM, automated investigation and
response tools, and UEBA technology should absolutely be part of their security
stack."
As
phishing attacks employ more sophisticated disguises, companies must increase
security to prevent data loss and financial loss.
PlainID's CTO and co-founder, Gal
Helemski
stated that exact reason as to why phishing attacks are so prevalent.
"Phishing
attacks remain one of the most popular methods of attacks used by cyber
adversaries. It is primarily due to how easy it is to trick a human compared to
a sophisticated cyber solution. Thus, it is time to reinforce all security
infrastructure," she said. "When it comes to internal breaches where networks
are compromised, identity is still the number one challenge. Organizations must
adopt a "Zero Trust" approach, which means trusting no one - not even known
users or devices - until they have been verified and validated. Zero Trust
provides that layer of defense that is unrivaled when it comes to defending
internal systems."
Neil Jones, director of cybersecurity evangelism at Egnyte suggested an improved
education on how these social engineering threats can be used, as the evolution
of bad actors is happening at a rapid pace, and old education may not be
keeping up with the attacks that are inbound.
"The
alleged cyber-attacks remind us that organizations' IT security programs are
only as strong as their weakest links. Here, we see how social engineering and
"smishing" tactics can lead to fraudulent account access and
ultimately impact a brand's reputation. The situation also demonstrates that
users have a more intimate technical relationship with their mobile devices,
making mobile-based attacks much more impactful on end-users. In addition to
general cybersecurity awareness training, anti-phishing education and
restricting access to company data based on a user's "Business Need to
Know" are powerful deterrents. You also need to re-educate your company's
users that phishing attacks don't occur only by e-mail."
CISCO's
2021 Cybersecurity threat trends report suggests that at least one person clicked a
phishing link in around 86% of organizations. The company's data indicates that
phishing accounts for approximately 90% of data breaches.
Helemski
went on to explain why access policies and authorization are so important.
"Access
Policies and Dynamic Authorizations are a crucial part of the zero-trust
architecture; they help to verify who is requesting access, the context of the
request, and the risk of the access environment. You cannot control human cyber
hygiene and thus the power of verification is demonstrated. Organizations need
a more focused strategy oriented on purchasing the highest reward tools.
Identity and authorization are where the smart money should be going. If we
assume adversaries are already in the network, it makes sense to focus budgets
on restricting movement inside the network."
Tim Prendergast, CEO of strongDM, agreed with Helemski on the
importance of access management, suggesting a re-evaluation of applications and
infrastructure to secure access.
"The
breaches that gave hackers access to customers' data highlights how crucial
strong access management and infrastructure are to maintain strong security,"
he said. "Attackers are relentlessly looking for ways into internal systems
because it grants them a VIP pass into databases, and servers and access to
everything companies don't want leaked publicly. Once attackers get those valid
credentials, they can wreak havoc internally. In this case, we're seeing that
SMS phishing messages baited employees into clicking links that warned them of
password changes. The first step here is, rather than point fingers, because in
truth this could have happened to anyone, that it is important for CISOs to
re-evaluate the visibility and control of access across both applications and infrastructure."
Other
experts, such as Arti Raman, CEO & Founder, of Titaniam, suggested a bit of a
different approach-neutralization.
"As
this incident proved, despite security protocols put in place, information can
be accessed using privileged credentials, allowing access to hackers to steal
underlying data," Raman said. "The most effective solution for keeping customer
PII safe and minimizing the risk of extortion is data-in-use encryption, also
known as encryption-in-use. Encryption-in-use provides enterprises with
unmatched immunity to data-focused cyberattacks. Should adversaries gain access
to data by any means, data-in-use encryption keeps the sensitive information
encrypted and protected even when it is actively being utilized. This helps
neutralize all possible data-related leverage and dramatically limits the
impact of a data breach."
Gil Dabah, co-founder and CEO of Piiano explained, "Phishing attacks are on the rise. Adequate access control can reduce to the minimum the amount of stolen data that will leak in case of credentials theft. There are no actual use cases for someone in the organization to browse through big chunks of raw customers' data; hence advanced data access control can limit the exposure.
Dabah went on to say, "Implementing the following techniques would change this breach's outcome:
- Most of the personal information should be masked
- Database access rate limits should be in place
- Anomaly detection will serve as another line of defense."
Whatever approach companies
choose to take, whether neutralization, education, or prevention, it is
apparent these steps need to be taken sooner rather than later as these bad
actors continue to wreak havoc, looking to pull in the biggest fish they
can.
##