Phishing attacks against Cisco and Twilio
In both attacks, the attackers are targeting multifactor authentication. In the case of Twilio, the attackers impersonated Twilio's IT department and sent text messages to current and former employees, asking them to click a link to update their passwords or see how their schedule had changed. Using words such as "Twilio," "Okta," and "SSO," the attackers attempted to trick users into entering Okta credentials and 2FA codes on the fake page, allowing the attackers to gain unauthorized access to information for a limited number of Twilio user accounts. It is unknown how many employees fell for the phishing scheme and what information was compromised.
The Cisco attack also started with a phishing campaign designed to bypass MFA. After gaining access to an employee's password, the attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.
As detailed by Cisco in its Talos Blog, followup lateral movement was facilitated by techniques and tactics used typically in Microsoft Active Directory networks, which underscores the inherent risks of Active Directory, once the attacker gains the initial foothold into an organization.
Both attacks illustrate how social engineering is used to penetrate networks of even tech savvy organizations, indicating that security awareness initiatives need to be increasingly combined with technical measures to protect the organization's IT assets.