Over 130 organizations have been impacted by the Twilio and Cloudflare breach by Okta hackers

Over 130 organizations have been impacted by the Twilio and Cloudflare breach by Okta hackers

News Summary:

  • The activity has been condemned 0ktapus by Group-IB because the initial goal of the attacks was to “obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations.”

  • The threat actor behind the attacks on Twilio and Cloudflare earlier this month has been linked to a broader phishing campaign aimed at 136 organizations that resulted in a cumulative compromise of 9,931 accounts.

Calling the attacks well designed and executed, the Singapore-headquartered company said the adversary singled out employees of companies that are customers of identity services provider Okta.

The attacks’ primary objective was to “collect Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organisations,” which is why Group-IB has denounced the conduct.

An extensive phishing campaign that targeted 136 organisations and resulted in the compromise of 9,931 accounts has been traced to the threat actor responsible for the assaults on Twilio and Cloudflare earlier this month.

The Singapore-based company claimed the attacker sought out employees of businesses that use identity services provider Okta, calling the attacks carefully designed and conducted.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” Group-IB said. “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

The threat actor responsible for this month’s attacks on Twilio and Cloudflare has been connected to a larger phishing effort that targeted 136 businesses and ultimately led to the compromise of 9,931 accounts.

Group-IB has denounced the action since the attacks’ primary objective was to “collect Okta identification credentials and two-factor authentication (2FA) codes from users of the targeted organisations.” The Singapore-based corporation said the attacker targeted workers of businesses that use Okta, a provider of identity services, and praised the attacks for their well-thought-out design and execution.

According to reports, at least 169 different phishing domains have been created for this purpose, with the majority of the victim organisations being based in the United States (114), India (4), Canada (3), France (2), Sweden (2), and Australia (1), among other countries. These websites shared a commonality in that they each made use of an undocumented phishing kit. Software companies make up the majority of the affected businesses, followed by those in the telecom, business services, banking, education, retail, and logistics industries. Along with Twilio and Cloudflare, other confirmed victims include MailChimp and Klaviyo.

The organisations AT&T, KuCoin, Mailgun, Metro PCS, Slack, T-Mobile, and Verizon were also targeted, according to an examination of the 0ktapus phishing websites. Later supply chain attacks against Signal (through Twilio) and DigitalOcean used these beaches as a launching point (via MailChimp). The assaults are noteworthy because they disseminated the compromised data, which included user credentials, email addresses, and multi-factor authentication (MFA) codes, over a Telegram channel that was under the control of an actor.

One of the channel administrators who goes by the alias X, according to Group-IB, was connected to a Twitter and GitHub account that suggests the person may be based in the American state of North Carolina. Although the campaign’s ultimate goals are still unknown, it is believed to be espionage- and financially-motivated, giving the threat actor access to private information, proprietary information, and corporate inboxes as well as the ability to steal money.

Additionally, the attempts to get into Signal accounts suggest that the attackers are also attempting to obtain sensitive information such as private conversations. It is yet unknown how the hackers managed to get access to employee names and phone numbers. “While the threat actor may have been lucky in their attacks it is far more likely that they carefully planned their phishing campaign to launch sophisticated supply chain attacks,” Group-IB analyst Roberto Martinez said.

We will be happy to hear your thoughts

Leave a reply

Tech Reviews, News and Guides
Logo