A highly successful phishing campaign has been identified that targets Okta credentials. Okta is an American identity and access management company that provides cloud-based software solutions to help companies manage and secure user authentication.
Researchers at Group-IB analyzed the campaign and reported that 136 companies are known to have been attacked, although only 2/3 of the attacked companies were able to be identified. Some of the victims were large, well-known U.S. firms. The researchers report that more than 9,900 login credentials have been stolen by the threat actors.
The campaign itself is rather low-tech and involves a phishing kit dubbed 0ktapus which is loaded onto malicious websites that spoof the Okta authentication page. The researchers have so far identified 169 domains that were being used by the attackers, based on the unique images, fonts, and scripts used by the threat actors and the presence of certain keywords. Many of the websites used had been registered to target employees of companies in the technology, finance, recruiting, and cryptocurrency industries, with the highest concentration in the software and telecom industries. The threat actors have conducted attacks on companies in multiple countries, but the highest concentration of attacks has been on U.S. firms, where 114 out of 136 breached companies are located.
The campaign is being conducted using SMS messages rather than email. Employees of the targeted companies are sent SMS messages with a link to the malicious website hosting the 0ktopus phishing kit. If the link is clicked and the user discloses their credentials, the phishing kit sends those credentials via Telegram to the attacker. The victim also discloses their 2FA codes through the kit, which allows the threat actor to remotely access accounts. After access is gained, attempts are made to escalate access, and sensitive data is exfiltrated. While the phishing campaign does not use sophisticated techniques, it has proven to be effective due to the theft of MFA codes in addition to login credentials.
The login credentials have been used to access VPN accounts, corporate networks, and customer support systems. Group-IB said in some cases, the access has led to supply chain attacks. In some cases, those attacks occurred very quickly, which suggests that the attacks were planned in advance. The threat actor has targeted mailing lists and customer-facing systems to allow the supply chain attacks to be conducted, including attacks on customers of Twilio, Mailchimp, and Klaviyo. The attack on Twilio, a phone number verification provider, allowed the attacker to attempt to re-register Signal accounts to new mobile devices. Mailchimp was breached to access data from crypto-related companies and disrupt operations.
Group-IB said the Telegram channel of one of the threat actors involved in the campaign was identified, with subsequent investigations revealing the individual’s name. That person claims to be a 22-year-old software developer based in North Carolina. The details have been passed to law enforcement.
Group-IB has made several recommendations to avoid falling victim to these attacks. These include carefully checking the URL of websites before entering credentials, treating all URLs sent from unknown sources as suspicious, and implementing a FIDO2-compliant security key from a vendor for multi-factor authentication.