The threat actors responsible for several recent cyberattacks, including Twilio, MailChimp and Klaviyo, compromised more than 130 companies using the same phishing campaign.
The primary goal of the threat actors was to obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organization.
The phishing campaign used a phishing kit codenamed ‘oktapus’ by the Group-IB Threat Intelligence team, due to the impersonation of a popular Identity and Access Management service, to steal approximately 10,000 credentials that the cyberattackers then used to access corporate networks and systems through VPNs and other remote access devices.
According to Group-IB, once the attackers compromised a single organization, they were quickly able to pivot and launch subsequent supply chain attacks.
The Group-IB team found that the threat actor stole 9,931 user credentials, including 3,129 records with emails and 5,441 records with MFA codes. Because two-thirds of the data didn’t contain a corporate email but only usernames and 2FA codes, Group-IB researchers could only identify the region of residence of the victims.
However, according to the compromised data analyzed by Group-IB, the threat actors started their attacks by targeting mobile operators and telecommunications companies and could have collected the numbers from those initial attacks.
It is still unknown how the threat actors prepared their target list and how they obtained the phone numbers.
Group-IB also uncovered and analyzed the attackers’ phishing infrastructure, including phishing domains, the phishing kit, and the Telegram channel controlled by the threat actors to drop compromised information.
Group-IB researchers discovered 169 unique phishing domains involved in the 0ktapus campaign. The domains used keywords like SSO, VPN, OKTA, MFA, and HELP.
From the victim’s point of view, the phishing site looks convincing as they are very similar to the legitimate authentication page they are used to seeing.
According to Patrick Harr, CEO at SlashNext, the Twilio and Cloudflare breaches demonstrate the rise in SMS phishing attacks to successfully harvest credentials at the start of the attack chain to perpetrate a breach. “These attacks were well planned and executed. They are hard to identify, and organizations cannot rely on employee training to stop SMS and other communication channel attacks,” says Harr.
Harr notes that security professionals are more concerned about smishing and mobile attacks. “Now with these attacks, it should be a wake call to all organizations to implement proactive AI and behavioral learning security controls in place to stop these types of attacks before employees are compromised,” Harr adds.
All victim organizations identified by Group-IB researchers have been notified and provided with the list of compromised accounts.
The findings about the alleged identity of the threat actor have been shared with international law enforcement agencies.