The criminals behind attempted cyberattacks on Twilio and Cloudflare earlier this month had cast a much wider net in their phishing expedition, targeting up to 135 organizations – mostly IT service providers, software development and US-based cloud services.
The gang went after employees of Okta customers, sending victims text messages containing malicious links to sites spoofing their company’s login page to harvest their work login credentials and passcodes multifactorial. For this reason, Group-IB analysts named the campaign Oktapus.
In a study released on Thursday, the Threat Intelligence Team found that Oktapus’ phishing journey, which began in March, stole 9,931 user credentials and 5,441 multi-factor authentication codes. .
“The attackers’ initial goal was clear: to obtain Okta credentials and two-factor authentication (2FA) codes from users of the targeted organizations,” wrote Group-IB researchers Roberto Martinez and Rustam. Mirkasymov.
“With this information in hand, attackers could gain unauthorized access to any company resources that victims have access to.”
The crooks then used the stolen credentials and 2FA codes to carry out several supply chain attacks. They broke into the marketing company Klaviyo and the email service Mailchimp, which then allowed the criminals to harvest the email addresses of DigitalOcean customers to phish those people.
And, of course, the attackers tried and failed to hit Cloudflare, and managed to break into Twilio, which then allowed them to target Twilio Signal client users and obtain phone numbers and passwords. registration of 1,900 users of the encrypted messaging service.
Group-IB’s research includes a screenshot of some of the phishing sites that mimicked Okta’s authentication pages, and based on that, companies targeted include AT&T, Verizon, T-Mobile and the messaging service Mailgun.
In total, the researchers found 169 unique domains involved with Oktapus, and they noted that the phishing kit used by the attackers included a legitimate image used by sites requiring Okta authentication.
The phishing sites, which looked a lot like the real authentication pages of organizations, asked employees to enter their username and password, then asked them for a 2FA code. These stolen credentials were then sent to a Telegram channel controlled by the attacker, and the criminals used them to access company data, emails and internal documents, we are told.
While most of the companies targeted can be categorized as tech companies – this includes 53 software companies, 22 telecommunications companies and 21 enterprise service providers – the attackers are also hitting organizations in finance (13 ), education (9), retail (7), logistics. (4), video games (2), legal services (2) and power supply (2).
“Seeing financial companies in the compromised list gives us the idea that the attackers were also trying to steal money,” the researchers noted. “In addition, some of the targeted companies provide access to crypto assets and markets, while others develop investment tools.”
The bulk of the targeted organizations are headquartered in the United States (114), and those in other countries have US-based employees who were targeted, according to Group-IB.
However, they warned, we are unlikely to know the scale of the attack for some time. ®