Monday, October 3, 2022
Home TECH Criminal 0ktapus spoofed IAM signature in massive phishing attack

Criminal 0ktapus spoofed IAM signature in massive phishing attack

a large scale identity fraud campaign, dubbed 0ktapus, which caught unsuspecting users in cloud flare other twilioamong others, and led to a small top-down attack against the secure messaging service signit has been revealed that it has compromised almost 10,000 user accounts in more than 130 organizations worldwide by exploiting the brand of the identity and access management (IAM) specialist eighth.

This is according to the researchers Group IBwhich today published an analysis of the attackers’ phishing infrastructure, phishing domains, phishing kits, and Telegram communication channels they used to drop the compromised information.

Group-IB based in Singapore and founded in Russia said it opened an investigation in late July when one of its threat intelligence clients asked for more information about a phishing attempt targeting its employees.

The subsequent investigation led its investigators to conclude that the attack, as well as those on Cloudflare and Twilio, were the result of a “simple but highly effective” phishing campaign that was “unprecedented in scale and scope” and had been underway. course from March 2022. .

“While the threat actor may have been lucky in their attacks, it is much more likely that they carefully planned their phishing campaign to launch sophisticated supply chain attacks,” said Roberto Martinez, senior threat intelligence analyst at Group -IB Europe.

“It is not yet clear if the attacks were planned from start to finish or if opportunistic actions were taken at each stage. Regardless, the 0ktapus campaign has been incredibly successful, and its full scale may not be known for some time.”

Group-IB revealed that the threat actors’ primary goal had been to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of targeted organizations. Those users received SMS messages containing links to phishing sites that mimicked their organization’s Okta authentication page.

Investigators were unable to determine how the attackers set up their list or targets, or how they obtained the necessary phone numbers, however, based on the compromised data that Group-IB was able to analyze, it appears that there may have been other attacks on mobile carriers and businesses. telecommunications company to collect data before this campaign began.

Group-IB said that 0ktapus used 169 unique phishing domains, incorporating keywords such as “SSO”, “VPN”, “Okta”, “MFA” and “help”. These sites would have appeared almost identical to legitimate Okta verification pages. All of these sites were created using a novel phishing kit, which contained code that allowed them to set up a Telegram bot and channel that the attackers used to drop their stolen data.

In total, 0ktapus stole a total of 9,931 unique user credentials, including 3,129 registrations with valid email addresses and 5,441 registrations with MFA codes. Since two-thirds of the records did not contain a valid corporate email, only a username and MFA code, the research team was only able to determine the region where the users were located, meaning that not all the companies could be identified. target organizations.

“0ktapus shows how vulnerable modern organizations are to some basic social engineering attacks and how profound the effects of such incidents can be for their partners and customers”

Rustam Mirkasymov, Group-IB Europe

What can be said with confidence is that 114 of the 136 known victim organizations were US-based companies. None were based in the UK; however, approximately 97 UK users had their credentials compromised by 0ktapus, compared to more than 5,500 in the US. Other compromised users were spread across the globe, with more than 40 in Canada, Germany, India, and Nigeria. .

Most of the victimized organizations were, like Cloudflare and Twilio, IT vendors, software companies, or cloud service companies. Smaller numbers of victims were also found in the telecommunications, general business services, and financial services sector, and even smaller numbers in education, retail and logistics, legal services, and public services. Group-IB said it had notified all the victims it could identify.

In terms of identifying the threat actors behind 0ktapus, Group-IB was also able to retrieve some of the details of one of their Telegram channel administrators, and from there identified their GitHub and Twitter accounts. This individual goes by the identifier X and is believed to be living in North Carolina in the US, although this may not be his true location.

Rustam Mirkasymov, head of cyber threat research at Group-IB Europe, said there was nothing special about 0ktapus’s methods, but the effort he put into planning and pivoting between multiple victims made the campaign remarkable.

“0ktapus shows how vulnerable modern organizations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers. By making our findings public, we hope more businesses can take preventative steps to protect their digital assets,” he said.

Learn more about Group-IB’s findings, including a breakdown of Indicators of Compromise (IoCs), is available to read here.

This is the second major incident involving Okta in some way in recent months, after the company was embroiled in a supply chain attack when the Lapsus$ cyber extortion gang compromised a third party, Sitel, in January 2022. There is no indication that the two incidents have any connection.

Okta had not responded to a request for comment at the time of publication.


19 Android Settings You Might Not Know About

if you are a typical smartphone user, you average almost five hours a day on your phone now. But beyond video and social...

‘Quordle’ Today: See Every ‘Quordle’ Answer & Suggestion For October 3rd

Welcome back to the work week. I'm sorry, but today's. Quordles it won't help you get back into a routine easily, because it's...


Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Progressive See extremism only elsewhere

The 9/11 elections in Sweden shocked intellectuals across the West. The Sweden Democrats, a nationalist-populist party founded in 1988 with neo-Nazi loyalties but...

Dr. Oz Closes in on Fetterman in Pennsylvania Senate Race: POLL

Republican candidate Dr. Mehmet Oz is narrowing the Democratic lieutenant's lead in the polls. government John Fetterman in the Pennsylvania Senate race, according...

In a new book, Nikki Haley criticizes the ‘hypocrisy’ of modern feminism

"Women fought for so long to have the freedom to make their own decisions," but now, every thought in their lives is "boxed in...