Cyber News Rundown: Cloud communications tool Twilio suffers data breach
A successful SMS-phishing campaign targeting current and former employees at Twilio led to a data breach. The campaign centered on hackers impersonating internal IT-personnel. In other cybersecurity news, marketing firm Klaviyo suffers data breach compromising both customer and employee data.
Following a phishing attack at the email marketing firm, Klaviyo, officials have confirmed that employee credentials were compromised and used to exfiltrate a significant amount of employee and client data. Alongside the data, the hackers were also able to obtain several internal support tools that are used to search for crypto-related accounts and view their marketing and product updates. Klaviyo is working with law enforcement to investigate the extent of the system intrusions and has already identified multiple fake Klaviyo websites that are attempting to capture login credentials.
Nearly 4 months after spotting some suspicious activity on their systems, one unsuspecting company was hit with their first ransomware attack by LockBit, through a malicious RDP (Remote Desktop Protocol) session. Just a week later, the Hive ransomware group entered the system and re-encrypted all the files and left their own ransom note. Less than 2 weeks later, the company was encrypted a third time, now by the BlackCat ransomware group. This series of attacks has stunned researchers as to why the company did not notice the first attack or do anything to prevent the latter attacks from happening.
Researchers have been tracking a new ransomware variant, dubbed GwisinLocker, that has been targeting industrial Linux systems across South Korea. These attacks often occur during non-business hours, when a security response would not be as quick, and require the victim to login to a private portal for negotiating the ransom demands of the Gwisin group. While much is still unknown about the group and their procedures, it is believed that they may be a North Korean APT (advanced persistent threat) organization.
Officials for Twilio confirmed that they have fallen victim to a data breach resulting from an SMS-phishing campaign against current and former employees wherein the attackers impersonated an internal IT department. Even with cooperation from the mobile carrier networks, the attackers have been exceptionally difficult to track, as they can switch between carriers and various hosting providers with ease. In response to the attack, Twilio has begun providing additional security training to all employees and contacting customers whose data was affected.
A new iteration of Classicscam has been making its rounds through Singapore recently, impersonating several financial and other service websites to steal payment card credentials. By operating as a service, attackers simply pick a target and create fake versions of classifieds websites to begin stealing payment details from buyers and sellers. Classicscam spreads through a series of Telegram bot channels and starts by offering to purchase an item but requiring the seller to enter significant sensitive details into a malicious form before they can receive the payment funds.