Two weeks ago, Twilio and Cloudflare detailed a phishing attack so methodical and well-orchestrated that it tricked employees at both companies into revealing their account credentials. In Twilio’s case, the attack bypassed its 2FA protection and gave threat actors access to its internal systems. Now, researchers have uncovered evidence that the attacks were part of a massive phishing campaign that obtained nearly 10,000 account credentials belonging to 130 organizations.
Based on disclosures provided by Twilio and Cloudflare, it was already clear that the phishing attacks were executed with almost surgical precision and planning. Somehow, the threat actor had obtained private phone numbers from employees and, in some cases, his family members. The attackers then sent text messages urging employees to log in to what appeared to be their employers’ legitimate authentication page.
Within 40 minutes, 76 Cloudflare employees received the text message, which included a domain name registered only 40 minutes earlier, thwarting the security measures the company has in place to detect sites that spoof its name. The phishers also used a proxy site for real-time hijacking, a method that allowed them to capture the unique access codes that Twilio used in its 2FA verifications and enter them on the real site. Almost immediately, the threat actor used his access to the Twilio network to obtain phone numbers belonging to 1,900 Signal Messenger users.
Unprecedented scale and scope
A report Security firm Group-IB published Thursday that an investigation it conducted on behalf of a client revealed a much larger campaign. Dubbed “0ktapus,” it has used the same techniques over the past six months to target 130 organizations and successfully phish 9,931 credentials. The threat actor behind the attacks amassed no fewer than 169 unique internet domains to ensnare his targets. The sites, which included keywords such as “SSO”, “VPN”, “MFA” and “HELP” in their domain names, were created using the same previously unknown phishing kit.
“The investigation revealed that these phishing attacks, as well as the incidents at Twilio and Cloudflare, were links in a chain: a simple yet highly effective single phishing campaign of unprecedented scale and scope that has been active since at least March 2022. “, Group-IB researchers wrote. “As the Signal revelations showed, once attackers compromised an organization, they could quickly pivot and launch subsequent supply chain attacks.”
While the threat actor may have been lucky in their attacks, it is much more likely that they carefully planned their phishing campaign to launch sophisticated supply chain attacks. It is not yet clear if the attacks were planned from start to finish or if opportunistic actions were taken at each stage. Regardless, the 0ktapus campaign has been incredibly successful, and its full scale may not be known for some time.
Group-IB did not identify any of the targeted companies, except to say that at least 114 of them are located in or have a presence in the US. Most of the targets provide IT, software development and cloud services. Okta on Thursday revealed in a mail who was among the victims.
The phishing kit led researchers to a Telegram channel that threat actors used to bypass 2FA protections that rely on one-time passwords. When a target entered a username and password on the fake site, that information was immediately transmitted through the channel to the threat actor, who then entered it on the real site. The fake site would then prompt the target to enter the unique authentication code. When the target was met, the code was sent to the attacker, allowing him to enter it on the real site before the code expired.
Group-IB’s investigation uncovered details about one of the channel’s administrators using the identifier X. Following that trail led to a Twitter and GitHub account that investigators believe is owned by the same person. A user profile appears showing that the person resides in North Carolina.
Despite this possible error, the campaign was already one of the best executed in history. The fact that it was done at scale for six months, Group-IB said, makes it all the more formidable.
“The methods used by this threat actor are not special, but the planning and how it was passed from company to company makes the campaign worth investigating,” Thursday’s report concluded. “0ktapus shows how vulnerable modern organizations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers.”