A big-scale phishing marketing campaign, dubbed 0ktapus, that reeled in unsuspecting customers at Cloudflare and Twilio, amongst others, and led to a small downstream assault in opposition to safe messaging service Sign, has been revealed to have compromised practically 10,000 consumer accounts at greater than 130 organisations worldwide by exploiting the model of id and entry administration (IAM) specialist Okta.
That is in line with researchers at Group-IB, who’ve at the moment printed an evaluation of the attackers’ phishing infrastructure, phishing domains, phishing kits and the Telegram comms channels they used to drop compromised data.
Singapore-based, Russia-founded Group-IB mentioned it opened an investigation on the finish of July when certainly one of its menace intelligence prospects requested it for extra data on a phishing try concentrating on its staff.
The next probe led its investigators to conclude that the assault, in addition to these on Cloudflare and Twilio, had been the results of a “easy but very efficient” phishing marketing campaign that was “unprecedented in scale and attain” and had been ongoing since March 2022.
“Whereas the menace actor might have been fortunate of their assaults, it’s way more probably that they rigorously deliberate their phishing marketing campaign to launch refined provide chain assaults,” mentioned Roberto Martinez, senior menace intelligence analyst at Group-IB Europe.
“It’s not but clear if the assaults had been deliberate end-to-end upfront or whether or not opportunistic actions had been taken at every stage. Regardless, the 0ktapus marketing campaign has been extremely profitable, and the total scale of it is probably not recognized for a while.”
Group-IB revealed the first aim of the menace actors had been to acquire Okta id credentials and multifactor authentication (MFA) codes from customers on the focused organisations. These customers acquired SMS messages containing hyperlinks to phishing websites which mimicked their organisation’s Okta authentication web page.
The investigators weren’t in a position to decide how the menace actors ready their checklist or targets, nor how they received their palms on the wanted telephone numbers, nevertheless, in line with the compromised knowledge that Group-IB was in a position to analyse, it seems that there might have been different assaults on cell operators and telecoms corporations to reap knowledge earlier than this marketing campaign even received underway.
Group-IB mentioned 0ktapus used 169 distinctive phishing domains, incorporating key phrases together with “SSO”, “VPN”, “Okta”, “MFA” and “assist”. These websites would have appeared virtually an identical to the respectable Okta verification pages. These websites had been all created utilizing a novel phishing package, which contained code that enabled them to configure a Telegram bot and a channel that the attackers used to drop their stolen knowledge.
All informed, 0ktapus stole a complete of 9,931 distinctive consumer credentials, together with 3,129 information with legitimate e-mail addresses and 5,441 information with MFA codes. Since two-thirds of the information didn’t comprise a legitimate company e-mail, merely a username and an MFA code, the analysis staff had been solely in a position to decide the area the place the customers had been positioned, that means not all focused organisations might be recognized.
“0ktapus exhibits how weak fashionable organisations are to some primary social engineering assaults and the way far-reaching the results of such incidents will be for his or her companions and prospects” Rustam Mirkasymov, Group-IB Europe
What will be said with confidence is that 114 out of 136 recognized sufferer organisations had been US-headquartered corporations. None had been based mostly within the UK, nevertheless, roughly 97 UK-based customers had their credentials compromised by 0ktapus – in contrast with greater than 5,500 within the US. Different compromised customers had been unfold all over the world, with over 40 apiece present in Canada, Germany, India and Nigeria.
Many of the sufferer organisations had been, like Cloudflare and Twilio, IT suppliers, software program corporations or cloud providers companies. Smaller numbers of victims had been additionally discovered within the telco sector, common enterprise providers and monetary providers, and smaller numbers nonetheless in schooling, retail and logistics, authorized providers and utilities. Group-IB mentioned it had notified all victims it may establish.
When it comes to figuring out the menace actors behind 0ktapus, Group-IB was additionally in a position to retrieve a number of the particulars of one of many directors of its Telegram channels, and from there recognized their GitHub and Twitter accounts. This particular person goes by the deal with X and is assumed to dwell in North Carolina within the US, though this is probably not their true location.
Rustam Mirkasymov, head of cyber menace analysis at Group-IB Europe, mentioned 0ktapus’s strategies had been nothing particular, however the effort it put into planning, and pivoting throughout a number of victims, made the marketing campaign a noteworthy one.
“0ktapus exhibits how weak fashionable organisations are to some primary social engineering assaults and the way far-reaching the results of such incidents will be for his or her companions and prospects. By making our findings public we hope that extra corporations will have the ability to take preventive steps to guard their digital property,” he mentioned.
Extra data on Group-IB’s findings, together with a breakdown of indicators of compromise (IoCs), is obtainable to learn right here.
That is the second main incident to have concerned Okta not directly in latest months, coming after the agency was caught up in a provide chain assault when the Lapsus$ cyber extortion gang compromised a third-party, Sitel, in January 2022. There is no such thing as a indication that the 2 incidents have any connection in any respect.
Okta had not responded to a request for remark on the time of publishing.
