- The threat actors behind the Twilio and Cloudflare breaches launched phishing attacks targeting 169 unique domains in a campaign researchers dubbed Oktapus, Singapore-based cybersecurity provider Group-IB said Thursday.
- Attackers used text message phishing to steal Okta identity credentials and two-factor authentication codes, the researchers said. If successful, attackers could leverage the credential data to access the target's enterprise environment. Okta did not respond to requests for comment.
- Since the Oktapus attacks began in March, threat actors have compromised more than almost 10,000 user credentials across 136 organizations, Group-IB said. The vast majority of the victims were U.S.-based and provided IT, software development or cloud services.
Once the threat actors gained access, they quickly launched additional supply chain attacks, a case seen when secure messaging platform Signal was caught in Twilio's compromise. Signal was one of Twilio's 125 breached customers and the fallout spread to 1,900 Signal users.
In many cases, the attackers used users' customer-facing systems or mailing lists to launch supply chain attacks, Group-IB said.
Mailchimp was also ensnared in the phishing scheme, causing a breach at DigitalOcean.
The phishing site spoofed a standard authentication page, prompting a target to enter their username and password. A subsequent page depicted a request for the 2FA code and once it was in hand, a copy of the remote administration tool AnyDesk was downloaded, Group-IB said.
For a successful attack, the threat actors had to constantly monitor their tools and move quickly to exploit, researchers said. A static page, threat actors could not interact with the victims in real time and had to move to gain access before 2FA codes expired.
While damaging, the phishing attack could have been worse, according to researchers. While researchers do not know the motivations of the attack, or why threat actors pushed AnyDesk.exe to the victim's assets, they said the "attacker didn’t configure the phishing kit properly in order to target mobile devices. That may indicate that the attacker is inexperienced."
If, in theory, attacks had sent phishing emails instead, victims would have downloaded the remote administration tools to their computers, Roberto Martinez, Sr. threat intelligence analyst, Group-IB, Europe, said via email. Through social engineering, attacks could have tricked victims to run the tool and gain control of their computer.
But after gaining enough media attention, the campaign stopped, Martinez said. "We don’t know the real extent of the attacks and how many organizations actually got compromised. We only know of those that publicly reported it," he said. "Maybe if companies that may have got breached earlier in the campaign disclosed it, the campaign could have been shorter than it was.”