Criminals behind the cyberattack attempts on Twilio and Cloudflare earlier this month had cast a much wider net in their phishing expedition, targeting as many as 135 organizations — primarily IT, software development and cloud services providers based in the US.
The gang went after the employees of Okta customers, sending victims text messages with malicious links to sites spoofing their company’s authentication page to harvest their work login credentials and multi-factor authentication codes. Because of this, Group-IB analysts named the campaign Oktapus.
In research published Thursday, the threat intel team revealed the Oktapus phishing trip, which began in March, snaffled 9,931 user credentials and 5,441 multi-factor authentication codes.
“The initial objective of the attackers was clear: obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations,” Group-IB researchers Roberto Martinez and Rustam Mirkasymov wrote.
“With this information in hand, the attackers could gain unauthorized access to any enterprise resources the victims have access to.”
The crooks then used the stolen credentials and 2FA codes to carry out several supply-chain attacks. They broke into marketing firm Klaviyo and email service Mailchimp, which then allowed the miscreants to harvest the email addresses of DigitalOcean customers to phish those folks.
And, of course, the attackers tried and failed to hit Cloudflare, and successfully got into Twilio, which then allowed them to target the users of Twilio customer Signal and gain the phone numbers and registration codes for 1,900 users of the encrypted messaging service.
Group-IB’s research includes a screenshot of some of the phishing sites that mimicked Okta authentication pages, and based on that, targeted companies include AT&T, Verizon, T-Mobile and email service Mailgun.
In total, the researchers found 169 unique domains involved in Oktapus, and they noted that the phishing kit used by the attackers included a legitimate image used by sites that require Okta authentication.
The phishing sites, which looked very similar to the organizations’ real authentication pages, asked employees to enter their username and password, and then asked them for a 2FA code. These stolen credentials were then sent to an attacker-controlled Telegram channel, and miscreants used them to access corporate data, emails and internal documents, we’re told.
While most of the companies targeted can be broadly categorized as technology firms — this includes 53 software vendors, 22 telecom companies and 21 business services providers — attackers also hit organizations in finance (13), education (9), retail (7), logistics (4), video games (2), legal services (2), and power supply (2).
“Seeing financial companies in the compromised list gives us the idea that the attackers were also trying to steal money,” the researchers noted. “Furthermore, some of the targeted companies provide access to crypto assets and markets, whereas others develop investment tools.”
The bulk of the targeted organizations are headquartered in the US (114), and those in other countries have US-based employees who were targeted, according to Group-IB.
However, they warned, we probably won’t know the full scope of the attack for some time. ®