Oktapus attacks

Twilio and Cloudfare employees have seen targeted attacks against them in a much larger phishing campaign. The phishing campaign has successfully compromised 9,931 accounts across 130 different organizations.

The campaign focused on the abuse of identity and access management firm Okta. According to Group-IB researchers, the main goal of the threat actors was to get hold of Okta identity credentials and multifactor authentication (MFA) codes from targeted users. These users would then receive text messages that contain links to phishing sites. These sites mimicked the Okta authentication page of their respective organizations.

As a result of these attacks, 114 US-based firms were attacked along with organizations across 68 more countries. According to Roberto Martinez, a senior threat analyst with Group-IB, the full extent of the attacks is yet to be determined.

The Agenda of The 0ktapus Hackers

It is widely believed that the Oktapus hackers started their campaign by going after telecommunication companies. By going after these companies, they hoped to gain access to the phone numbers of potential targets. How the Octopus managed to get their hands on the phone numbers used in the MFA-related attacks is still shrouded in mystery.

Researchers concluded that the threat actors kicked off their attack by going after mobile operators, which is likely how they got the numbers. Once they had the numbers, the attackers sent phishing links to their targets through text messages. The messages contained links that would lead the mark to a webpage that mimics the Okta authentication page.

This landing page was tailor-made to resemble the Okta authentication page of the target’s employer. The marks were then requested to submit their Okta credentials along with the multifactor authentication (MFA) codes used by the employees to safeguard their logins.
Researchers at Group-IB elaborate that the first phase of the attack majored on the software-as-service firms. The main objective of Oktapus was to access the mailing lists of these companies or their customer-facing systems. Doing so would then enable them to facilitate supply-chain attacks.

The element of surprise was key to 0ktapus as it enabled them to use speed to compromise their victims effectively instead of leveraging sophisticated evasion techniques. In this case, it did not matter that the security tools could speedily detect the fraudulent domains as many applied the same fonts, images, and scripts. Octopus was still faster and could extract data in real-time and deliver its payload. The damage was already done when the tools detected the threat.

The Widespread Impact of The MFA Attacks

In a recent blog post, DoorDash revealed that an authorized party gained access to some of their internal tools using the stolen credentials of vendor employees. They then stole information such as phone numbers, names, delivery addresses, and emails from the company’s delivery people and customers.

Group-IB was able to authenticate that the attacker compromised 5,441 MFA codes throughout the campaign. Roger Grimes, a data-driven defense evangelist, stated, “This is yet another phishing attack showing how easy it is for adversaries to bypass supposedly secure multifactor authentications.” That begs the question, how can such campaigns be prevented?

Blocking Initial Access

Only the enterprises that could block the initial access could avoid being caught up in the tentacles of the Octopus. Instead of waiting around to detect and subsequently blacklist domains that appear fraudulent, isolation technology is applied. This technology generates an air gap, albeit virtual, between the users and the other parts of the internet.

It blocks them from keying in their credentials. Isolation assumes that all content is malicious, both known and unknown. That makes the need for an allow or block option obsolete at the point of click. Preventing this initial access diminishes the ability of the attacker to infiltrate your data, thereby protecting your enterprise.

As the attacks continue to unfold in real-time, it is becoming more evident that more than a detect-and-respond approach is needed to provide enterprises with security. That is because the malicious actors of today are more innovative than ever. No matter how intelligent your tools are, more is needed. Attackers have proven to be ahead of the game at every turn. Blocking initial access through isolation tech remains the most effective way to stop ransomware and other malware attacks. For more information on this, contact us today.