An ongoing phishing campaign has spoofed multi-factor authentication systems at over 130 companies.
The phishing campaign compromised 9,931 accounts at over 130 organisations, including Twilio and Cloudflare. The campaigns linking to a targeted abuse of Okta have earned them the name 0ktapus.
“The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organisations,” according to a Group-IB report. “These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organisation.”
There were 114 US-based firms affected, with additional victims scattered across 68 countries, including Australia and New Zealand.
According to a senior threat intelligence analyst at Group-IB, it is unknown what the scope of the attacks is. “The 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time,” he said.
(Source: Group-IB)
(Source: Group-IB)
Goal of the Oktapus hacking campaign
0ktapus attackers began their campaign by targeting telecommunications companies to gain access to phone numbers.
A theory researchers propose is that 0ktapus attackers started their campaign by targeting telecommunications companies to obtain a list of phone numbers used in MFA-related attacks.
Next, attackers sent phishing links via text message to targets. The links led to websites mimicking the Okta authentication page used by the target’s employer. In addition to Okta credentials, victims had to supply multi-factor authentication (MFA) codes used by employers to secure their logins.
An accompanying technical blog explains that the initial compromises of software-as-a-service firms were merely the first phase of a multifaceted attack. The goal of Oktapus was to gain access to company mailing lists or customer-facing systems to facilitate supply-chain attacks.
DoorDash also revealed in a possibly related incident that it had been the victim of an attack with all the hallmarks of an Oktapus-style attack within hours of Group-IB publishing its report late last week.
More MFA attacks to come
Group-IB reported that the attackers compromised 5,441 MFA codes during their campaign.
It has become easier for threat actors to bypass supposedly secure multi-factor authentication through MFA attacks. These threats won’t subside anytime soon, either. Globally, phishing attacks rose by 29 per cent in 2021, according to Zscaler, which notes that SMS phishing is increasing faster than other kinds of scams because people have become better at identifying fraudulent emails.
The more you know about the types of attacks committed against the MFA you use, the better prepared you will be to detect and respond to them safely.
To mitigate 0ktapus-style campaigns, researchers recommend using FIDO2-compliant security keys for MFA and good URL and password hygiene.
