In the same phishing attempt, hackers responsible for a number of recent hacks, including those on Twilio, MailChimp, Cloudflare, and Klaviyo, compromised over 130 firms.
The hackers used a phishing kit nicknamed ‘0ktapus’ to capture 9,931 login credentials, which they then exploited to gain access to business networks and systems using VPNs and other remote access devices.
The 0ktapus campaign, according to a Group-IB assessment, has been active since at least March 2022, with the goal of stealing Okta identity credentials and 2FA codes and using them to carry out further supply chain assaults.
These attacks were extremely successful, resulting in a slew of data breaches at Twilio, MailChimp, Cloudflare, and Klaviyo. Furthermore, these vulnerabilities resulted in supply-chain assaults on clients who used these services, including Signal and DigitalOcean.
The threat actors targeted firms in a variety of areas, including bitcoin, technology, banking, and recruiting, using the phishing domains generated in this campaign.
T-Mobile, MetroPCS, Verizon Wireless, AT&T, Slack, Twitter, Binance, KuCoin, CoinBase, Microsoft, Epic Games, Riot Games, Evernote, AT&T, HubSpot, TTEC, and Best Buy are among the organizations targeted.
The 0ktapus’ many arms
The assault starts with an SMS message and a link to a phishing page that looks like an Okta login page, prompting victims to enter their account credentials and 2FA tokens.
Okta is an identity-as-a-service (IDaaS) platform that allows employees to access all software assets in their firm with a single login.
Using the keywords “OKTA,” “HELP,” “VPN,” and “SSO,” researchers uncovered 169 unique phishing domains supporting the 0ktapus campaign, as seen in the instances below.
t-mobile-okta[.]org
att-citrix[.]com
vzwcorp[.]co
mailchimp-help[.]com
slack-mailchimp[.]com
kucoin-sso[.]comThese sites incorporate the target companies’ distinctive theming, so they appear exactly like the genuine portals that employees are used to seeing throughout their everyday login procedure.
When victims enter their credentials and two-factor authentication codes, the sites send them to a private Telegram channel where threat actors can collect them. These login credentials were then utilized by the hackers to obtain access to company VPNs, networks, and internal customer support systems in order to steal client data. As we witnessed with DigitalOcean and Signal, this customer data was subsequently utilized to launch additional supply-chain assaults.
According to the admissions of previous victims, threat actors frequently targeted data belonging to bitcoin companies. According to Group-IB, the threat actors stole 9,931 user credentials from 136 enterprises, 3,129 records with emails, and 5,441 records with MFA codes, with the majority of the affected organizations based in the United States.
