The information was discovered through research done by cybersecurity company Group-IB, which started looking into the hacking effort after one of its clients fell victim to phishing and requested assistance. The study demonstrates that the threat actor, known as “0ktapus,” employed straightforward strategies to target employees of numerous well-known firms. The hacker(s) would enter corporate networks using stolen login credentials, steal data, and then enter the network of another company.
In the most extensive supply chain attack on corporate America to date, researchers claim that a mysterious “threat actor”—a fancy word for a hacker or hacker group—has stolen close to 10,000 login credentials from the staff of 130 firms. Prominent software companies, including many others like Twilio, MailChimp, and Cloudflare, are among the victims.
“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” researchers wrote in their blog Thursday. “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”
According to researchers, the hackers chose to target employees of the firms they wished to compromise using a very common technique, a phishing toolkit. These preconfigured hacking tool packages are available on the dark web, usually for very cheap costs. In this instance, the hackers started by targeting businesses that used Okta, an identity and access management company that offers single sign-on services to platforms all across the internet. The threat actor used the tools to send victims SMS phishing messages that closely resembled the ID authentication pages offered by Okta. The victims would enter their information, including login, password, and multi-factor authentication code, believing that they were carrying out a routine security procedure.
Unfortunately, this is not a completely original tale. Corporate cybersecurity has had a difficult couple of years, making it reasonable to wonder whether blue-chip IT businesses simply aren’t very good at self-protection, hackers simply keep getting lucky, or both. Despite the fact that we cannot be confident in either direction, it is evident that the “0ktapus” campaign, like many other recent hacking incidents, was astonishingly successful in breaching a variety of business networks utilising simple intrusion tactics.
Following their entry of this information, the data was covertly sent to a Telegram account that the cybercriminals controlled. The threat actor may then log into the companies where the victims worked using their Okta credentials. The enterprises’ wider corporate ecosystems that they were a part of were then attacked by more sophisticated supply chain hacks that took advantage of the network access to steal company data.
Though such information can occasionally be gleaned from earlier data breaches or purchased on the dark web, it is unclear how the hacker or hackers would have initially obtained access to the phone numbers of the staff employees they targeted.
Researchers from Group-IB think they have identified a person who may be associated with the phishing campaign. Researchers were able to locate Twitter and Github accounts that might be connected to a hacker involved in the campaign using Group-own IB’s proprietary techniques. They go by the moniker “X,” and it is known that they participate in Telegram channels that are frequently utilised by online criminals. According to researchers, both accounts have the same username, profile photo, and user identity as a 22-year-old software developer. According to analysts, the Github account indicates that the person is based in North Carolina.
Though they have offered more analyses of the hacking campaign’s strategies and tactics, Group-IB has not revealed Subject X’s identify. However, they also highlight that whomever was in charge of the campaign did a pretty excellent job at pwning their targets. Researchers write that context cues discovered during the inquiry “may indicate that the attacker is unskilled.” The study claims: “While it is possible that the threat actor may have been lucky in their attacks it is far more likely that they carefully crafted their attacks in order to launch the sophisticated supply chain attacks outlined above. It is not yet clear if the attacks were planned end-to-end in advance or whether opportunistic actions were taken at each stage. Regardless, it is clear that the attack has been incredibly successful and the full scale of the attack may not be known for some time.”
But even if everything went according to plan, using a phishing toolkit doesn’t require you to be a seasoned cybercriminal. In fact, the way the cybercrime market is set up today makes it possible for even the least technically savvy online user to acquire potent hacking tools that can do a lot of harm. Unfortunately, all you usually need is a VPN, some cryptocurrency, and a lack of morals if you want to buy a cyberweapon that can shut down a website or steal someone’s MFA credentials. Even though we don’t know who is behind this phishing attempt, it is obvious that a mess has been made. Attacks on supply chains are terrible because they frequently have a cascade effect. An intrusion into one business can occasionally cause problems for dozens (or hundreds) of others due to the way the software industry is currently organised (imagine an interconnected ecosystem of enterprise systems, where each tech company outsources some or most IT processes to some other company). As an example, we are currently hearing from a small number of companies about data breaches related to this hacking incident, and it’s unlikely that it will end soon.
Most recently, on Thursday, the food delivery platform DoorDash disclosed a data breach. The business reported in a blog post that hackers had been successful in phishing one of its third-party providers, possibly disclosing both customer and corporate information, including names, email addresses, delivery addresses, and phone numbers of an unspecified number of app users. A number of businesses who use Twilio’s services have experienced security difficulties as a result of the theft of this popular communications provider. Twilio has acknowledged that the breach may have exposed the data of as many as 125 clients. The attack most significantly resulted in a security flaw for the encrypted communication application Signal. 1,900 user accounts at Signal, which relies on Twilio for phone number verification services, were partially impacted, which is a rather sad development for a business that prides itself on protecting user data. Signal has emphasised that message history and other sensitive information for users was not affected by the incident, despite it appearing that the threat actor was trying to access Signal conversations and user data.
At the same time, it appears that data on consumers connected to bitcoin corporations has been mined from other businesses including mailing provider MailChimp, which was breached back in April. Theoretically, this information might be used to direct further phishing attacks at cryptocurrency users.