The threat actor behind the phishing attacks that targeted employees of Twilio and Cloudflare earlier this month has now been linked to a much broader phishing campaign, according to a new report from Group-IB.
Researchers say that the large-scale phishing campaign compromised 9,931 accounts at more than 130 organizations. The campaign has been nicknamed 0ktapus by Group-IB as the campaign impersonates popular Identity and Access Management (IAM) service Okta.
Group-IB's Threat Intelligence Team says it has uncovered and analyzed the threat actor's phishing infrastructure, including phishing domains, the phishing kit, and a Telegram channel controlled by the threat actors to drop compromised information.
The phishing has been active since at least March 2022, and is described as "a simple yet very effective single phishing campaign unprecedented in scale and reach." Robert Martinez, Senior Threat Intelligence Analyst at Group-IB, Europe, discusses:
"While the threat actor may have been lucky in their attacks it is far more likely that they carefully planned their phishing campaign to launch sophisticated supply chain attacks. It is not yet clear if the attacks were planned end-to-end in advance or whether opportunistic actions were taken at each stage. Regardless, the 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time."
The goal of this phishing campaign was for the threat actors to obtain Okta credentials and two-factor authentication (2FA) codes from end-users in the targeted organizations. The end-users received text messages with links to fraudulent Okta authentication pages of their organizations.
Group-IB shared a flow chart of what the attack looks like:
It also shared a breakdown of where the targeted organizations are located:
As well as what industries were targeted the most:
How can you ensure your organization does not fall victim to this phishing campaign? Group-IB provides four recommendations to mitigate this and similar phishing attacks:
- End-users should always check, carefully, the URL of the site where you are entering your credentials. This is especially important for users with privileged accounts.
- Treat all URLs that were received from unknown sources as suspicious. If in doubt, forward them to your security team for analysis.
- Implement a FIDO2-compliant security key from a vendor like YubiKey for multi-factor authentication, like Cloudflare suggests.
- If you think your credentials might have been compromised, immediately change your password, sign off from all active sessions, and report the incident to your manager and security team.
For more information on the phishing campaign, see the report from Group-IB.