What changes, however, is the approach and the modus operandi for carrying out such attacks.

            In 2022, Threat Actors (TAs) were observed targeting security technology vendors and service providers
            that enjoyed a certain degree of trust and confidence in the industry.

            In January 2022, Okta, a leading cloud-based identity management provider, was targeted in a well-
            planned attack, where TAs compromised a computer system of a customer support engineer employed
            with Okta’s third-party IT services vendor. Using this as a pivot, the TA then swept Okta's internal network
            to access confidential information. While the attacker managed to get access to internal communication
            and ticketing tools only for a limited period and could not access any significant critical information, the
            incident demonstrated the relative ease with which an attacker can get past security defenses by abusing
            the inherent trust that an organization typically places on its third parties.

            In June and July 2022, TAs targeted employees of Twilio – a leading customer engagement platform
            provider,  with  a  well-orchestrated  SMS phishing  and Vishing  campaign  to steal their  user  accounts,
            passwords, and OTPs (One-time passwords used as a second factor of authentication) to access the
            sensitive contact information of its customers. The TAs also managed to register and link their own
            devices with a few customer accounts.

            In August and December 2022, LastPass – the leading provider of Password management software
            reported a breach, wherein the attackers were able to access and copy sensitive customer information,
            that included not only end-user names, billing and email addresses, telephone numbers, IP addresses,
            but also sensitive vault data including usernames, passwords, and secure notes etc.

            NortonLifeLock, another password management software vendor, reported that nearly 6000 customer
            accounts  had  been  compromised  via  a  credential  stuffing  attack,  forcing  the  company  to  enforce  a
            password reset and advising users to implement two-factor authentication.

            Cyble’s Darkweb Intelligence teams noticed several posts on cybercrime forums and the darkweb sites
            wherein TAs were seen soliciting access to cyber threat intelligence platform providers to get to their
            customers. Hackers also claimed to have successfully breached cybersecurity service providers offering
            security  monitoring  services,  security  assessment  and  penetration  testing  services,  as  well  as  data
            backup and recovery services. In addition, hackers were seen advertising the sensitive information of
            clients of victim companies on various cybercrime marketplaces and forums.

            Recently,  leading  Cloud  infrastructure  and  SaaS  application  providers  such  as  Microsoft  Azure  and
            Atlassian have published detailed incident investigations wherein cyber TAs were seen bypassing the
            trusted SMS OTP based multi-factor authentication security by using stolen authentication cookies to
            login to the accounts of users. These user systems had been compromised using information-stealing
            malware.

            Cyble’s Threat Research team also discovered TA communication on the darkweb , associated with
            malware and phishing services being offered for sale and claiming to be designed in a way to bypass
            OTP-based two-factor authentication mechanisms to compromise a target. Thus, OTP-based two-factor
            authentication is now being actively targeted and bypassed in advanced attack campaigns by skilled
            attackers.






                                                                                                              42