The same hacking group that successfully breached Twilio Inc. and Cloudflare Inc. earlier this month is now believed to have breached over 130 organizations in the same phishing campaign.

As detailed by researchers at Group-IB Global Pvt. Ltd., the phishing campaign, codenamed “0ktapus” due to its impersonation of a popular identity and access management service, has resulted in an estimated 9,931 breached accounts in organizations primarily in the U.S. that use Okta Inc.’s IAM services. Okta had been previously targeted by the Lapsus$ hacking group in March.

Those behind 0ctapus then used the data stolen from Okta in March to carry out subsequent supply chain attacks. Along with Twilio and Cloudflare, other companies believed to be victims of the 0ctapus campaign include Mailchimp and DigitalOcean Holdings Inc. The hack of Twilio also exposed data from the encrypted messaging app Singal.

Bleeping Computer reports that other victims may include T-Mobile US Inc., MetroPCS, Verizon Wireless Inc., AT&T Inc., Slack Inc., Twitter Inc., Binance Holdings Ltd., KuCoin, Coinbase Inc., Microsoft Corp., Epic Games Inc., Riot Games Inc., Evernote Corp., HubSpot Inc., TTEC Holding Inc. and Best Buy Co. Inc.

According to Group-IB, the attacker’s initial objective was to obtain Okta identity credentials and two-factor authentication codes from users of the targeted organizations. With this information, the attackers could gain unauthorized access to any enterprise resources the victims had access to.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” Rustam Mirkasymov, head of cyber threat research at Group-IB (Europe), wrote. “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

In an interesting twist, the Group-IB researchers were able to link at least one member of the group behind 0ctapus to a Twitter and GitHub account that suggests that the individual may be based in North Carolina.

The motivation behind the attacks remains unclear, with the researchers saying that espionage or financial gain are the two main possibilities.

“The Twilio and Cloudflare breaches demonstrate the rise in phishing attacks to successfully harvest credentials at the start of the attack chain to perpetrate a breach,” Patrick Harr, chief executive officer of anti-phishing company SlashNext Inc., told SiliconANGLE. “These attacks were well planned and executed.”

Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., commented that this is yet another phishing attack showing how easy it is for adversaries to bypass supposedly secure multifactor authentication.

“Many cybersecurity leaders and organizations are touting the fake fact that MFA stops 99% of all hacking attacks. It doesn’t. It never will,” Grimes added.

Lior Yaari, CEO and co-founder of cybersecurity startup Grip Security Ltd. also noted that the attack demonstrates how fragile identity and access management are. “The industry should think about removing the burden of logins and passwords from employees who are susceptible to social engineering and sophisticated phishing attacks,” Yaari explained. “The best proactive remediation effort companies can make is to have users reset all their passwords, especially Okta, because the extent and cause of the breach are still unknown.”

Photo: Morten Brekkevold/Flickr

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.



Source link

Load More By Michael Smith
Load More In Technology
Comments are closed.

Check Also

Dave Vellante’s Breaking Analysis: The complete collection

Breaking Analysis is a weekly editorial program combining knowledge from SiliconANGLE’s th…