Okta Hackers Behind Twilio and Cloudflare Breach Hit Over 130 Organizations

The menace actor behind the assaults on Twilio and Cloudflare earlier this month has been linked to a broader phishing marketing campaign concentrating on 136 organizations that resulted in a cumulative compromise of 9,931 accounts.

The exercise has been condemned 0ktapus by Group-IB as a result of the preliminary purpose of the assaults was “to acquire the Okta id credentials and two-factor authentication (2FA) codes of customers from the goal organizations.”

Calling the assaults well-designed and well-executed, the Singapore-based firm stated the adversary focused workers of firms which might be shoppers of id service supplier Okta.

The modus operandi was to ship targets textual content messages containing hyperlinks to phishing websites that masqueraded because the Okta authentication web page of the respective goal entities.

“This case is attention-grabbing as a result of, regardless of utilizing low-scoring strategies, it was capable of compromise a lot of well-known organizations,” Group-IB stated. “Moreover, as soon as the attackers compromised a company, they had been rapidly capable of pivot and launch subsequent provide chain assaults, indicating that the assault was fastidiously deliberate upfront.”

A minimum of 169 distinctive phishing domains are stated to have been created for this goal, with sufferer organizations positioned primarily within the US (114), India (4), Canada (3), France (2), Sweden ( 2) and Australia (1), amongst others. These web sites had been linked by the truth that they made use of a beforehand undocumented phishing package.

A lot of the affected organizations are software program firms, adopted by these within the telecommunications, enterprise companies, finance, schooling, retail and logistics sectors.

What’s notable concerning the assaults is using an actor-controlled Telegram channel to take away compromised info, which included consumer credentials, e mail addresses, and multi-factor authentication (MFA) codes.

Group-IB stated it was capable of hyperlink one of many channel’s directors, who goes by the alias X, to a Twitter and GitHub account that means the particular person could also be primarily based within the US state of North Carolina.

The final word objectives of the marketing campaign are nonetheless unclear, however it’s suspected to be espionage and financially motivated, permitting the menace actor to entry delicate knowledge, mental property, and company inboxes, in addition to divert funds.

On high of that, the makes an attempt to hack Sign accounts imply that the attackers are additionally making an attempt to acquire personal conversations and different delicate knowledge. It’s not but recognized how the hackers obtained the telephone numbers and names of the staff.

“Whereas the menace actor could have been fortunate of their assaults, it’s more likely that they fastidiously deliberate their phishing marketing campaign to launch subtle provide chain assaults,” stated Roberto Martinez, an analyst at Group-IB.

“It stays unclear whether or not the assaults had been deliberate from begin to end or if opportunistic steps had been taken at each stage. Regardless, the 0ktapus marketing campaign has been extremely profitable, and its full scale will not be recognized to some.” climate.”