Following last weeks disclosureby Group-IB researchers of a significant phishing campaign, Okta has warned its customers to be on the guard
- Alex Scroxton,Security Editor
Published: 30 Aug 2022 15: 43
Identity and access management specialist Okta has warned customers to be on the protect from a widespread and impactful phishing campaign which has already hit an extremely limited amount of its customers.
This employs researchers at Group-IB gathered evidence that tied together multiple recent incidents, including an attack on Twilio, in a criminal campaign that appears to have heavily exploited the Okta brand, and the trust its customers hold inside it, to be able to compromise its targets.
The campaign, which Okta has dubbed Scatter Swine Group-IB coined another name, 0ktapus discovered that the info of some Okta customers was accessible to the threat actor through Twilios systems.
Oktas defensive cyber ops team determined a few cellular phone numbers and associated SMS messages containing one-time passcodes were accessible to the threat actor via the Twilio console.
Okta has notified any customers in which a contact number was visible in the console at that time the console was accessed, said an organization spokesperson. You can find no actions essential for customers at the moment.
Oktas own investigation discovered that the events of the incident unfolded the following. On 7 August 2022, Twilio had disclosed that customer accounts and internal apps were accessed in attacks caused by an effective phish. It notified Okta that unspecified data highly relevant to its customers was accessed in this incident on 8 August.
At that time, Okta rerouted SMS-based communications to an alternative solution provider in order that it may have clear space to research alongside Twilio, which provided data such as for example internal systems logs that may be used to correlate and identify the extent of the experience associated with its users.
This activity, as detailed above, affected 38 unique telephone numbers, almost all of which may be associated with an individual unnamed organisation. Okta said it appeared that the threat actor was wanting to expand its usage of that organisation. It had used usernames and passwords stolen in phishing campaigns to trigger SMS-based multifactor authentication challenges at its target and used its usage of Twilios systems to weed out the one-time passcodes submitted these challenges.
Subsequently, Okta has been engaged in threat hunting across its platform logs and contains found evidence that the threat actor also tested this system against an individual account unrelated to its main target, but performed no other actions. There is absolutely no evidence that it successfully used the strategy to expand the scope of its access beyond the principal target.
Okta said 0ktapus/Scatter Swine has directly targeted Okta during the past, but has been struggling to access accounts due to its in-house security.
The group uses infrastructure supplied by the crypto-friendly Bitlaunch provider, providing servers from DigitalOcean, Vultr and Linode. Its preferred domain name registrars are Namecheap and Porkbun, both which take bitcoin payments.
It initially harvests telephone numbers from data aggregation services that link telephone numbers to employees Group-IB presented evidence that it could have hacked into some comms providers to obtain this data and sends bulk phishing lures to multiple employees at its targets and also, in some instances, their family. It’s been known to follow-up with calls pretending to be always a tech support agent, and in these calls its operators apparently speak fluent North American-accented English.
If it successfully obtains user credentials from its phishing campaign, after that it attempts to authenticate utilizing an anonymised proxy. In this campaign, it favoured the Mullvad (Mole) VPN service, an open source, commercial service based out of Sweden.
Its phishing kit is made to capture usernames, passwords and one-time passcode factors, and contains been recognized to trigger multiple push notifications in an additional try to trick targets into allowing usage of their accounts.
It has registered multiple names of domain in keeping formats to help expand trick targets into entering their credentials on its phishing sites. Regarding Okta customers, these have generally taken the proper execution of [target company]-okta.com, .net, .org or .us, although other domains are also used.
More info on 0ktapus/Scatter Swines tactics, techniques and procedures can be acquired from Okta, that is also advising its customers to look at a defence-in-depth strategy to best protect themselves out of this, or similar attacks.
Read more on Hackers and cybercrime prevention
Criminal 0ktapus spoofed IAM firm in massive phishing attack
Cisco averts cyber disaster after successful phishing attack
MFA technology is rapidly evolving — are mandates next?
How Lapsus$ exploited the failings of multifactor authentication