2FAR Gone: The Twilio Breach and the Targeting of Two Factor Authentication
Mirai published an article last week arguing the importance of Multi-Factor Authentication (MFA), we did make sure to mention that these methods are not infallible. While MFA (and Two-factor authentication, a form of MFA that requires only two forms of authentication) is the best course of action for ensuring the security of your accounts, the recent attack on Cloud communications giant Twilio (and its 2FA service Authy) shows that no method of authentication is perfect, and relying on third parties services can sometimes be a risky proposition.
What is Twilio?
Twilio is a communications platform that fosters the use of voice calls, messages, video, and more through its application programming interfaces (APIs). Its communication infrastructure is hosted by Amazon Web Services and it provides services to companies such as Twitter, Facebook, and Spotify.
What Happened to Authy:
Authy is a 2FA service developed by Twilio. Typically, it lets users authenticate their logins via the Authy app after inputting their login information on their primary device. On the app, Authy provides one-time passcodes for logins, strengthening the authentication process. In this month's hack of Twilio, 93 Authy accounts were compromised after an infrastructure attack by the hacking group 0ktapus, as these actors stole cryptographic data to generate unique one-time passcodes. This has allowed 0ktapus to bypass needing a second factor for them to access Twilio user accounts. Since Twilio partners with many prominent companies (and has over 75 million users), the fact that this breach only affected 93 isolated users should still be a cause for alarm. While Twilio has said it has halted unauthorized access from compromised accounts - and instructed the owners of these accounts to review their devices and disable the "Allow Multi-device" function for authentication if they are only using a single device -, this attack highlights the risk to companies using third-party cloud services to foster communication capabilities while also relying on their authentication methods. This attack may have been relatively minor, but it shows that MFA and its different forms are not a failsafe against unauthorized logins, and your organization is only as secure as the entities it partners with.
Sprawl-in-All: The Widespread Issue of Identity Sprawl
In the cybersecurity landscape, keeping track of every threat and term can sometimes feel overwhelming (luckily, we have started a blog series to help with that), but the issue of identity sprawl - currently in the news this week following the publishing of Radiant Logic's Identity Data Management report - should be well-known for people and organizations alike, particularly those who work in tech.
Identity Sprawl: A Common but Worrisome Problem
Identity sprawl refers to the growing multitude of separate, unlinked accounts users have created for their online activities. Because these accounts are not connected by a single identity provider (i.e. Google Authenticator), each requires different login and authentication methods, causing a person's online identity to "sprawl." Not only is identity sprawl an annoyance for users attempting to remember all their login credentials, but it is also a grave threat to a person's (and, by proxy, an organization's) online security. As a person's login credentials are spread amongst many unlike accounts, a door is opened for identity-driven, potentially far-reaching attacks. A person’s sheer number of accounts may result in them using similar login credentials many times over, mainly if they do not use Single Sign-On (SSO) to link any of these separate accounts. If a breach to just one of these accounts occurs, a threat actor can use these credentials to access a person’s other accounts across multiple platforms and organizations, an attack known as ‘credential stuffing.’
Findings from the Radiant Logic Report
Detailed in Cyber Magazine, the identity provider Radiant Logic’s report stated that 67% of global IT and InfoSec leaders surveyed reported having over 21 disparate online identities per user at their organizations. While Radiant Logic sells solutions for identity integration and may be coming from a place of bias, this is still a deeply troubling trend for those at the forefront of cybersecurity excellence. The survey also found that the biggest roadblock to consolidating these identities is the cost associated with implementing an organization-wide identity system. This prioritization of short-term budgets over the long-term costs of breaches is sad but widely seen pattern across many organizations, but it is distressing to see this logic in the tech sphere. As Radiant Logic's report shows, identity sprawl is a serious issue, and the organizations most aware of this fact have a responsibility to deal with it.
Disinformation Nations: Cybersecurity Threats to Organizations and Governments Around the World
As much as our biases may drive us, the reality of cybersecurity is that threats are not isolated to hackers with a specific set of values and goals. This week saw the reporting of international hacking and disinformation campaigns across Asia, with these malicious activities being conducted by actors on both ends of the ideological spectrum.
North Korea and Kimusky:
Backed by the North Korean government, the hacker group Kimusky has launched coordinated attacks against South Korean political and infrastructural bodies, including the Ministry of Unification and nuclear power facilities. Actively engaging in social engineering and phishing attacks for the past decade, Kimusky was recently spotlighted for a campaign in which they utilized spear-fishing to send their targets embedded Word documents that contained geopolitical content about the Korean conflict, along with malware that infects the recipient's device and pilfers their information. The 70-plus years of bad blood between South Korea and its communist counterpart has seen many skirmishes along the way, and advancements in technology and hacking have caused this conflict to inhabit the digital arena, resulting in a silent war where no shots are fired, but massive repercussions occur.
West is Best?: Influence Campaigns in Asia
A pro-Western campaign consisting of hundreds of Facebook, Twitter, Instagram, and other social media accounts has been found by the Stanford Internet Observatory Cyber Policy Center to have been in operation for more than a decade. These accounts have been pushing pro-American narratives and attacking US geopolitical rivals since March of 2012, but only recently (after Facebook and Twitter provided data on accounts they suspended over the summer for inauthentic behaviour) did a pattern emerge that these were being run by the same entities. Most active in Central Asia and the Middle East (though with account locations traced back to the US and Great Britain), this campaign was especially critical of China, Iran, and Russia, and has been connected to the Trans-Regional Web Initiative, a public, US-military run online influence campaign that oversees websites promoting pro-American propaganda. Whether these accounts were part of a state-sponsored initiative to turn the online tide for America and against its enemies, these and the Kimusky stories show that cyber manipulation knows no ideology.