Organizations implement Multi-factor authentication (MFA) as an enterprise identity security tool to protect them against credential theft, brute force techniques, and dictionary attacks. But what if a cybercriminal intercepts MFA? Read on to know how attackers planned the sophisticated attack on Okta customers.
Cybercriminals who attempted the cyberattacks on Twilio and Cloudflare earlier this year cast a wider net in their malicious expedition and targeted over 135 organizations – primarily cloud services providers, software development, and IT industries based in the US.
Attackers went after employees and customers of Okta, a customizable and secure solution to add authorization and authentication services to applications. Cybercriminals sent text messages containing malicious links to websites spoofing Okta’s authentication page. They launched a sophisticated campaign to harvest their multi-factor authentication codes and work login credentials.
How Group-IB Intelligence Analysts Uncovered The Attack
Group-IB intelligence analysts received a request from their client on July 26, 2022, asking them for additional information on a recent credential phishing attack they had experienced. Group-IB started the investigation after the client provided IP addresses and domain names used in the attack.
Group-IB analysts used Threat Intelligence, in-house, and public tools to gather the list of attacked domains. They discovered that the client was among several reputed organizations targeted in a widespread phishing campaign that Group-IB researchers codenamed 0ktapus.
The attackers started with a clear goal to obtain two-factor authentication (2FA) codes and Okta identity credentials from customers/employees of the targeted organizations. Using this information, the attackers might have gained unauthorized access to confidential enterprise resources that victims can access.
Extent of Damage
The Group-IB team discovered that the cybercriminals stole 9,931 user credentials, including 5,441 records with MFA codes and 3,129 records with emails. Since two-thirds of the data did not include a corporate email but only 2FA codes and usernames, researchers could only identify the victims’ region of residence.
The Group-IB team identified 136 victim organizations, of which 114 companies are based in the USA. The list also includes enterprises headquartered in other countries but having US-based employees who got targeted. Most victim organizations offer software development, cloud, and IT services.
As mentioned in Twilio’s blog, cybercriminals tried to obtain credentials to access corporate emails, private data, and internal documents. Since evidence suggests that financial companies were on the compromised list, it gives us the idea that malicious actors were also trying to steal money. Furthermore, some targeted companies develop investment tools, while others provide access to crypto assets and markets.
Several Supply Chain Attacks
According to Roberto Martinez, Senior Threat Intelligence analyst with Group-IB, Europe, “The threat actors were lucky in their attacks. However, they likely carefully planned their sophisticated phishing campaign to launch several supply chain attacks.”
- There was a breach at marketing firm Klaviyo and personal information connected to crypto-related accounts, including names, phone numbers, addresses, and emails, got stolen. The attackers can use this information to steal cryptocurrency.
- Email platform Mailchimp got breached, and hackers gained access to data from crypto-related organizations and disrupted operations. Technology firm DigitalOcean used Mailchimp to send email-based alerts like confirmation emails, password resets, etc. By initiating and redirecting password resets, attackers might have compromised the customers of DigitalOcean.
- Twilio, the phone number verification provider, got breached, allowing the attacker to attempt and re-register Signal accounts to different mobile devices.
- Cloudflare said attackers attempted a similar attack to the one made on the communications platform Twilio last week. But the Cloudflare team thwarted the attack using hardware security keys required to access services and applications.
How Threat Actors Target Victims
Attackers planned the attack to obtain Okta MFA codes and identity credentials from users of the targeted enterprises.
- The users received text messages with links to malicious websites that mimicked their organization’s Okta authentication page.
- From the victim’s viewpoint, the phishing site looked quite convincing because it resembled the authentication page they use daily.
- They got prompted for their username and password.
- After entering the details, they got redirected to a second page asking for their 2FA code.
- After handing the code to the phishers, the browser downloaded a legitimate copy of AnyDesk, the remote administration tool. It is unclear why attackers pushed AnyDesk.exe to the victim’s system, especially if they sent the phishing link via SMS to a mobile phone.
- The Group-IB team concluded that the attacker didn’t appropriately configure the phishing kit to target mobile devices, indicating the attacker is inexperienced.
(Source: Group-IB)
The malicious website is static, meaning cybercriminals cannot interact with the victims in real time like other sophisticated phishing kits. However, the attackers must use the compromised data quickly to gain access before the 2FA codes expire. Thus, malicious actors continuously monitored their tools and used the credentials soon after receiving them.
How to Protect Against Such Attacks?
Maintaining a secure organizational environment requires ongoing vigilance. Security measures like MFA can appear safe and secure, but as evident from the 0ktapus campaign, attackers can overcome them using sophisticated tools. According to Group-IB, organizations can take the following measures to mitigate similar attacks:
- End-users must always check the website URL where they are entering their credentials. It becomes especially crucial for users with privileged accounts.
- Users must treat all URLs they receive from unknown resources as suspicious. They should forward them to their security teams for analysis when in doubt.
- As the attack on Cloudflare suggests, organizations must implement a FIDO2-compliant security key from vendors like YubiKey for MFA.
- If users think their credentials got compromised, they must change their password immediately, sign off from active sessions, and report the incident to their manager and security team.
What Experts Have to Say About Such Attacks
- Rustam Mirkasymov, Head of Cyber Threat Research, Group-IB Europe
The attackers’ methods to execute 0ktapus were not special, but the planning and the way it pivoted from one organization to another make it worth noticing. It shows how vulnerable modern enterprises are to basic social engineering attacks and the far-reaching effects of such incidents on their partners and customers.
- Patrick Harr, CEO, SlashNext
The Cloudflare and Twilio breaches demonstrated the rise in smishing (SMS phishing) attacks to successfully harvest user credentials at the attack chain’s start and perpetrate a breach. The attackers are hard to identify, so organizations cannot solely rely on employee training to stop such attacks. The organization must implement proactive AI (artificial intelligence) and behavioral learning security safeguards to prevent such attacks before employee details get compromised.
- Monnia Deng, Director of product marketing, Bolster
Phishing websites saw an unexpected surge in 2022, and Twilio is one of the major breaches that stemmed from look-alike domains this year. Research shows that the problem will increase tenfold in 2022 because such campaigns are easy to deploy and effective in a post-pandemic digital work era. The only way to respond to such attacks is to deploy a preconfigured takedown automation of malicious websites offered by a real-time digital risk vendor specializing in the detection and takedown of phishing websites.
Final Words
Attacks like 0ktapus bring organizations closer to the truth of how vulnerable they are to such social engineering attacks. Even if they deploy robust security standards like MFA, they cannot rest assured that they are fully protected against such sophisticated attack vectors.
Thus, organizations must analyze which employees are most at risk and find ways to train them best. Furthermore, applying adaptive security controls is a prudent way to implement a successful phishing protection strategy against such attacks.