In an extensive phishing operation, more than 130 businesses got entangled that mimicked a multi-factor authentication system.
A large-scale phishing effort compromising 9,931 accounts across more than 130 institutions has been linked to specific assaults on Twilio and Cloudflare employees. These campaigns are connected to specific misuses of Okta, a company specializing in identity and access management. This activity led researchers to label the threat culprits as ‘0ktapus’.
The main objective of the malicious entities was to procure Okta identity details and multi-factor authentication (MFA) codes from individuals within the organizations they aimed at,” stated Group-IB researchers in a newly published report. These individuals were sent messages with links leading to deceptive websites that resembled the Okta verification page of their respective organizations.
A total of 114 US firms were affected, along with numerous others dispersed throughout 68 different countries.
Group-IB’s senior threat intelligence analyst, Roberto Martinez, expressed that the extent of the attacks remains a mystery. He commented that the 0ktapus campaign has achieved remarkable success, and we might not grasp its full magnitude for a while.
The Motive Behind the 0ktapus Hackers
It is speculated that the 0ktapus cybercriminals initiated their attack strategy by focusing on telecommunication firms, with the aim of gaining control over the phone numbers of their prospective targets.
Though it’s unclear precisely how cybercriminals acquired a list of phone numbers used in multi-factor authentication (MFA) related attacks, one hypothesis suggested by researchers is that the 0ktapus attackers initiated their campaign by focusing on telecommunication firms.
Based on the breached information studied by Group-IB, it seems the cybercriminals initiated their assaults by focusing on mobile carriers and telecom firms. It’s possible they gathered the numbers from these initial strikes, according to the researchers.
Following this, the cyber criminals dispatched deceptive links to their victims through SMS. These links directed the recipients to fake websites that were an exact replica of the Okta verification page their employer typically uses. The unsuspecting victims were then tricked into providing their Okta login details along with the multi-factor authentication (MFA) codes they usually utilize to safeguard their login process.
In a related technical article, experts from Group-IB elaborate that the preliminary breaches, primarily targeting software-as-a-service companies, represented the first stage in a multi-faceted assault. 0ktapus’ endgame was to infiltrate corporate mailing lists or customer-oriented systems with the intention of enabling supply-chain attacks.
In what could potentially be a linked event, DoorDash disclosed that it had been hit by a cyber-attack, bearing striking resemblances to a typical 0ktapus strike, just a few hours after Group-IB released their report late last week.
Explosion Scope: Assaults on Multi-factor Authentication
In a recent online journal entry, DoorDash disclosed that an “illicit entity exploited purloined login details of vendor staff to infiltrate some of our in-house utilities.” As per the entry, the cybercriminals proceeded to pilfer personal data – encompassing names, contact numbers, email IDs, and delivery locations – from clients and delivery personnel.
Throughout its operation, the perpetrator successfully breached 5,441 MFA codes, as reported by Group-IB.
“Protocols like Multi-Factor Authentication might seem impenetrable, but it’s evident that hackers can breach them using fairly basic instruments,” stated the experts.
“Once again, we’re seeing a phishing assault that demonstrates the ease with which opponents can circumvent ostensible secure multifactor authentication,” says Roger Grimes, a data-driven defense advocate at KnowBe4, in an email statement. “Shifting users from passwords that are simple to phish to MFA that is also susceptible to phishing is essentially pointless. It involves a great deal of effort, assets, time, and cash, all for no tangible gain.”
To combat campaigns similar to 0ktapus, experts suggest maintaining caution with URLs and passwords, along with the adoption of security keys that comply with FIDO2 standards for Multi-Factor Authentication (MFA).
“No matter the type of MFA an individual opts for,” Grimes suggested, “it’s crucial to educate them about the prevalent attack strategies targeted at their chosen MFA, how to identify these attacks, and the appropriate reaction. Similar to how we advise users on selecting passwords, we should also be advising them on the use of supposedly safer MFA.”
