Findings on a massive phishing campaign were just published by Group-IB researchers in a recent report. According to the research team, the campaign resulted in 9,931 accounts at over 130 organizations being compromised. The campaign is focused on the abuse of the Okta identity and access management firm, hence the moniker “0ktapus” that was assigned by the Group-IB for the threat actor group.
Group-IB explained, “The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organizations. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organization.”
114 US-based firms were affected by this campaign. Senior threat intelligence analyst Roberto Martinez said the full scope of the attacks is still not known, stating, “The 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time.”
It is believed that the 0ktapus attackers started their campaign by targeting telecommunications companies to obtain potential targets’ phone numbers. The team has not determined how the group obtained the numbers used in MFA-related attacks.
“[A]ccording to the compromised data analyzed by Group-IB, the threat actors started their attacks by targeting mobile operators and telecommunications companies and could have collected the numbers from those initial attacks,” researchers wrote.
Once they had targets’ phone numbers, attackers sent text message-based phishing links to targets, with the links taking victims to webpages mimicking the Okta authentication page used by the target victims’ employers. When victims submitted their Okta identity credentials and MFA codes those were delivered straight to the threat actors.
Group-IB explain that they believe that 0ktapus’ final objective was to access company mailing lists and/or customer-facing systems in hopes of facilitating supply-chain attacks.
This the campaign the attackers compromised 5,441 MFA codes, as reported by Group-IB.
“Security measures such as MFA can appear secure… but it is clear that attackers can overcome them with relatively simple tools. This is yet another phishing attack showing how easy it is for adversaries to bypass supposedly secure multifactor authentication,” said Roger Grimes, data-driven defense evangelist at KnowBe4. It simply does no good to move users from easily phish-able passwords to easily phish-able MFA. It’s a lot of hard work, resources, time, and money, not to get any benefit.”
The mitigations recommended for 0ktapus-style campaigns are to educate personnel well about phishing attacks and use FIDO2-compliant security keys for MFA.
Grimes advised, “Whatever MFA someone uses, the user should be taught about the common types of attacks that are committed against their form of MFA, how to recognize those attacks, and how to respond. We do the same when we tell users to pick passwords but don’t when we tell them to use supposedly more secure MFA.”
Phishing education is an offering from Webcheck Security, as well as access control design consultations from our virtual Chief Information Security Officers (vCISOs). Contact Webcheck now to receive more information.