“mimicked the Okta authentication page of their organization.”
The campaign targeted 114 US-based firms, with additional victims in 68 other countries. Group-IB researchers have revealed that the campaign was “incredibly successful,” and the full scale of the compromise remains unknown.
The 0ktapus hackers are believed to have begun their campaign by targeting telecommunications companies, in hopes of winning access to potential targets’ phone numbers. Despite not knowing how 0ktapus attackers obtained a list of phone numbers used in MFA-related attacks, one theory proposes that they may have collected the numbers from their initial attacks on mobile operators and telecommunications firms.
The compromise began with the phishing links sent to targets via text messages that led them to webpages mimicking the Okta authentication page used by their employer. This targeted compromise of mostly software-as-a-service (SaaS) firms was phase-one in a multi-pronged attack. 0ktapus’ ultimate goal was to access company mailing lists or customer-facing systems to facilitate supply-chain attacks.
In a related incident in which DoorDash was the victim, Group-IB identified the hallmark signs of an 0ktapus-style attack. DoorDash revealed that the attackers compromised the vendor’s employees’ stolen credentials to gain unauthorized access to the company’s internal tools. They then stole personal information, including names, phone numbers, email and delivery addresses, from customers and delivery people. Group-IB reported that a total of 5,441 MFA codes had been compromised by the attackers.
The compromise of MFA codes highlights how attackers can overcome even the most secure barriers. This is another phishing attack demonstrating how easy it is for adversaries to bypass supposedly secure multifactor authentication, warns Roger Grimes, data-driven defense evangelist at KnowBe4. He emphasizes that much needs to be done to move users from easily phish-able passreplaces to more secure multifactor authentication. This involves investing resources, time, and money to get the benefits when implementing an MFA system. To reduce the risks of 0ktapus-type attacks, researchers recommend good hygiene around URLs and passwords and using FIDO2-compliant security keys for MFA.
In conclusion, this sophisticated phishing campaign demonstrates the increasing sophistication of hacking groups and their ability to breach almost any security barrier. The compromise of MFA systems is particularly worrisome, given their promotion as an effective cybersecurity measure to protect against unauthorized access. The focus on better cybersecurity education and training for the users of MFA systems may help organizations reduce the risks of these types of threats. However, MFA remains a critical cybersecurity measure, and stricter policies and procedures are needed to enhance its resilience against these sophisticated hacking attempts.
<< photo by George Becker >>
You might want to read !
- The TL;DR Version of the Twitter Whistleblower Complaint
- “Overlooking Cybersecurity: A Critical Oversight for Business Success According to 61% of IT Security Decision Makers”
- “Ferrari’s Website Hacked Due to Vulnerable WordPress Plugin”
- “Iran’s BellaCiao: A Closer Look at the Evolution of Threat Groups’ Malware Tactics”
- “Privacy Protection Prevails: France Holds Clearview AI Accountable for Fine Evasion”
- “Uncoiling the Threat: FBI Dismantles Russian FSB’s ‘Snake’ Malware Network”
