free counter

Criminal 0ktapus spoofed IAM firm in massive phishing attack

Researchers at Group-IB have published research on a significant phishing campaign that ensnared victims at famous brands Cloudflare and Twilio

Alex Scroxton


Published: 25 Aug 2022 14: 11

A large-scale phishing campaign, dubbed 0ktapus, that reeled in unsuspecting users at Cloudflare and Twilio, amongst others, and resulted in a little downstream attack against secure messaging service Signal, has been revealed to possess compromised nearly 10,000 user accounts at a lot more than 130 organisations worldwide by exploiting the make of identity and access management (IAM) specialistOkta.

That is in accordance with researchers at Group-IB, who’ve today published an analysis of the attackers phishing infrastructure, phishing domains, phishing kits and the Telegram comms channels they used to drop compromised information.

Singapore-based, Russia-founded Group-IB said it opened a study by the end of July when among its threat intelligence customers asked it to find out more on a phishing attempt targeting its employees.

The next probe led its investigators to summarize that the attack, in addition to those on Cloudflare and Twilio, were the consequence of a straightforward yet very effective phishing campaign that has been unprecedented in scale and reach and have been ongoing since March 2022.

As the threat actor might have been lucky within their attacks, it really is a lot more likely they carefully planned their phishing campaign to launch sophisticated supply chain attacks, said Roberto Martinez, senior threat intelligence analyst at Group-IB Europe.

It isn’t yet clear if the attacks were planned end-to-end beforehand or whether opportunistic actions were taken at each stage. Regardless, the 0ktapus campaign has been incredibly successful, and the entire scale of it might not be known for quite a while.

Group-IB revealed the principal goal of the threat actors have been to acquire Okta identity credentials and multifactor authentication (MFA) codes from users at the targeted organisations. Those users received SMS messages containing links to phishing sites which mimicked their organisations Okta authentication page.

The investigators weren’t able to regulate how the threat actors prepared their list or targets, nor how they got their practical the needed telephone numbers, however, based on the compromised data that Group-IB could analyse, it would appear that there might have been other attacks on mobile operators and telecoms companies to harvest data before this campaign even got underway.

Group-IB said 0ktapus used 169 unique phishing domains, incorporating keywords including SSO, VPN, Okta, MFA and help. These sites could have appeared almost identical to the legitimate Okta verification pages. These sites were all made out of a novel phishing kit, which contained code that enabled them to configure a Telegram bot and a channel that the attackers used to drop their stolen data.

All told, 0ktapus stole a complete of 9,931 unique user credentials, including 3,129 records with valid email addresses and 5,441 records with MFA codes. Since two-thirds of the records didn’t include a valid corporate email, only a username and an MFA code, the study team were only in a position to determine the spot where in fact the users were located, meaning not absolutely all targeted organisations could possibly be identified.

0ktapus shows how vulnerable modern organisations are for some basic social engineering attacks and how far-reaching the consequences of such incidents could be because of their partners and customers
Rustam Mirkasymov, Group-IB Europe

So what can be stated confidently is that 114 out of 136 known victim organisations were US-headquartered companies. None were based in the united kingdom, however, approximately 97 UK-based users had their credentials compromised by 0ktapus weighed against a lot more than 5,500 in america. Other compromised users were spread all over the world, with over 40 apiece within Canada, Germany, India and Nigeria.

The majority of the victim organisations were, like Cloudflare and Twilio, IT providers, software companies or cloud services firms. Smaller amounts of victims were also within the telco sector, general business services and financial services, and smaller numbers still in education, retail and logistics, legal services and utilities. Group-IB said it had notified all victims it might identify.

With regards to identifying the threat actors behind 0ktapus, Group-IB was also in a position to retrieve a few of the details of among the administrators of its Telegram channels, and from there identified their GitHub and Twitter accounts. They goes on the handle X and is considered to live in NEW YORK in america, although it isn’t really their true location.

Rustam Mirkasymov, head of cyber threat research at Group-IB Europe, said 0ktapuss methods were nothing special, however the effort it placed into planning, and pivoting across multiple victims, made the campaign a noteworthy one.

0ktapus shows how vulnerable modern organisations are for some basic social engineering attacks and how far-reaching the consequences of such incidents could be because of their partners and customers. By making our findings public hopefully that more companies can take preventive steps to safeguard their digital assets, he said.

More info on Group-IBs findings, including a failure of indicators of compromise (IoCs), can be acquired to learn here.

This is actually the second major incident to possess involved Okta for some reason lately, coming following the firm was swept up in a supply chain attack once the Lapsus$ cyber extortion gang compromised a third-party, Sitel, in January 2022. There is absolutely no indication that both incidents have any connection whatsoever.

Okta hadn’t taken care of immediately a obtain comment during publishing.

Read more on Hackers and cybercrime prevention

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker