0ktapus phishing campaign: Twilio hackers targeted other 136 organizations

The threat actors behind Twilio and Cloudflare attacks have been linked to a phishing campaign that targeted other 136 organizations.

The threat actors behind the attacks on Twilio and Cloudflare have been linked to a large-scale phishing campaign that targeted 136 organizations, security firm Group-IB reported. Most of the victims are organizations providing IT, software development, and cloud services.

The campaign, codenamed 0ktapus, resulted in the compromise of 9,931 accounts, 3120 compromised user credentials with email.

Threat actors behind the 0ktapus campaign aimed at obtaining Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations. Then the attackers could gain unauthorized access to any enterprise resources by using this information.

Experts pointed out that despite using low-skill methods, threat actors were able to compromise a large number of well-known organizations. Group-IB speculates that the attack was planned carefully in advance because once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks.

The threat actors targeted employees of companies that are customers of IAM leader Okta, the attack chain started with text messages sent to the victims containing links to phishing sites that mimicked the Okta authentication page of the respective targeted entities.

“In total, the Group-IB Threat Intelligence team detected 169 unique domains involved in the 0ktapus campaign.” reads the analysis published by Group-IB. “These domains were all used by the attackers to target organizations in multiple industries, located mostly in the United States and Canada. Based on the fact that all of these organizations use Okta’s Identity and Access Management services to secure access to enterprise resources, we named this campaign 0ktapus.”

The phishing site used in this campaign is static, this means that threat attackers cannot interact with victims in real-time. To avoid the expiration of 2FA codes, the attackers need to use the compromised data as soon as they get it, for this reason they need monitoring their tools continuously and using the credentials as soon as they received them.

The phishing kit used in this campaign used Telegram channel to drop the compromised information.

The experts linked one of the channel administrators, who used the moniker “X”, to a Twitter and a GitHub account that suggests the individual may be located in the North Carolina, US.

Below is the list of recommendations provided by Group-IB to mitigate similar attacks:

1. End users should always check, carefully, the URL of the site where you are entering your credentials. This is especially important for users with privileged accounts.
2. Treat all URLs that were received from unknown sources as suspicious. If in doubt, forward them to your security team for analysis.
3. Implement a FIDO2-compliant security key from a vendor like YubiKey for multi-factor authentication, like Cloudflare suggests
4. If you think your credentials might have been compromised, immediately change your password, sign off from all active sessions, and report the incident to your manager and security team.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, 0ktapus)

[adrotate banner=”5″]

[adrotate banner=”13″]