• Tech News
    • Games
    • Pc & Laptop
    • Mobile Tech
    • Ar & Vr
    • Security
  • Startup
    • Fintech
  • Reviews
  • How To
What's Hot

Elementor #32036

January 24, 2025

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

April 18, 2024

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

April 16, 2024
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
    1. Games
    2. Pc & Laptop
    3. Mobile Tech
    4. Ar & Vr
    5. Security
    6. View All

    Bring Elden Ring to the table with the upcoming board game adaptation

    September 19, 2022

    ONI: Road to be the Mightiest Oni reveals its opening movie

    September 19, 2022

    GTA 6 images and footage allegedly leak

    September 19, 2022

    Wild west adventure Card Cowboy turns cards into weird and silly stories

    September 18, 2022

    7 Reasons Why You Should Study PHP Programming Language

    October 19, 2022

    Logitech MX Master 3S and MX Keys Combo for Business Gen 2 Review

    October 9, 2022

    Lenovo ThinkPad X1 Carbon Gen10 Review

    September 18, 2022

    Lenovo IdeaPad 5i Chromebook, 16-inch+120Hz

    September 3, 2022

    It’s 2023 and Spotify Still Can’t Say When AirPlay 2 Support Will Arrive

    April 4, 2023

    YouTube adds very convenient iPhone homescreen widgets

    October 15, 2022

    Google finishes iOS 16 Lock Screen widgets rollout w/ Maps

    October 14, 2022

    Is Apple actually turning iMessage into AIM or is this sketchy redesign rumor for laughs?

    October 14, 2022

    MeetKai launches AI-powered metaverse, starting with a billboard in Times Square

    August 10, 2022

    The DeanBeat: RP1 simulates putting 4,000 people together in a single metaverse plaza

    August 10, 2022

    Improving the customer experience with virtual and augmented reality

    August 10, 2022

    Why the metaverse won’t fall to Clubhouse’s fate

    August 10, 2022

    How Apple privacy changes have forced social media marketing to evolve

    October 16, 2022

    Microsoft Patch Tuesday October Fixed 85 Vulnerabilities – Latest Hacking News

    October 16, 2022

    Decentralization and KYC compliance: Critical concepts in sovereign policy

    October 15, 2022

    What Thoma Bravo’s latest acquisition reveals about identity management

    October 14, 2022

    What is a Service Robot? The vision of an intelligent service application is possible.

    November 7, 2022

    Tom Brady just chucked another Microsoft Surface tablet

    September 18, 2022

    The best AIO coolers for your PC in 2022

    September 18, 2022

    YC’s Michael Seibel clarifies some misconceptions about the accelerator • DailyTech

    September 18, 2022
  • Startup
    • Fintech
  • Reviews
  • How To
Behind The ScreenBehind The Screen
Home»Tech News»Criminal 0ktapus spoofed IAM firm in massive phishing attack
Tech News

Criminal 0ktapus spoofed IAM firm in massive phishing attack

August 26, 2022No Comments5 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Criminal 0ktapus spoofed IAM firm in massive phishing attack
Share
Facebook Twitter LinkedIn Pinterest Email

A large-scale phishing campaign, dubbed 0ktapus, that reeled in unsuspecting users at Cloudflare and Twilio, among others, and led to a small downstream attack against secure messaging service Signal, has been revealed to have compromised nearly 10,000 user accounts at more than 130 organisations worldwide by exploiting the brand of identity and access management (IAM) specialist Okta.

This is according to researchers at Group-IB, who have today published an analysis of the attackers’ phishing infrastructure, phishing domains, phishing kits and the Telegram comms channels they used to drop compromised information.

Singapore-based, Russia-founded Group-IB said it opened an investigation at the end of July when one of its threat intelligence customers asked it for more information on a phishing attempt targeting its employees.

The subsequent probe led its investigators to conclude that the attack, as well as those on Cloudflare and Twilio, were the result of a “simple yet very effective” phishing campaign that was “unprecedented in scale and reach” and had been ongoing since March 2022.

“While the threat actor may have been lucky in their attacks, it is far more likely that they carefully planned their phishing campaign to launch sophisticated supply chain attacks,” said Roberto Martinez, senior threat intelligence analyst at Group-IB Europe.

“It is not yet clear if the attacks were planned end-to-end in advance or whether opportunistic actions were taken at each stage. Regardless, the 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time.”

Group-IB revealed the primary goal of the threat actors had been to obtain Okta identity credentials and multifactor authentication (MFA) codes from users at the targeted organisations. Those users received SMS messages containing links to phishing sites which mimicked their organisation’s Okta authentication page.

See also  NHS may take a month to recover from supply chain attack

The investigators were not able to determine how the threat actors prepared their list or targets, nor how they got their hands on the needed phone numbers, however, according to the compromised data that Group-IB was able to analyse, it appears that there may have been other attacks on mobile operators and telecoms companies to harvest data before this campaign even got underway.

Group-IB said 0ktapus used 169 unique phishing domains, incorporating keywords including “SSO”, “VPN”, “Okta”, “MFA” and “help”. These sites would have appeared almost identical to the legitimate Okta verification pages. These sites were all created using a novel phishing kit, which contained code that enabled them to configure a Telegram bot and a channel that the attackers used to drop their stolen data.

All told, 0ktapus stole a total of 9,931 unique user credentials, including 3,129 records with valid email addresses and 5,441 records with MFA codes. Since two-thirds of the records did not contain a valid corporate email, merely a username and an MFA code, the research team were only able to determine the region where the users were located, meaning not all targeted organisations could be identified.

“0ktapus shows how vulnerable modern organisations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers”
Rustam Mirkasymov, Group-IB Europe

What can be stated with confidence is that 114 out of 136 known victim organisations were US-headquartered companies. None were based in the UK, however, approximately 97 UK-based users had their credentials compromised by 0ktapus – compared with more than 5,500 in the US. Other compromised users were spread around the world, with over 40 apiece found in Canada, Germany, India and Nigeria.

Most of the victim organisations were, like Cloudflare and Twilio, IT providers, software companies or cloud services firms. Smaller numbers of victims were also found in the telco sector, general business services and financial services, and smaller numbers still in education, retail and logistics, legal services and utilities. Group-IB said it had notified all victims it could identify.

In terms of identifying the threat actors behind 0ktapus, Group-IB was also able to retrieve some of the details of one of the administrators of its Telegram channels, and from there identified their GitHub and Twitter accounts. This individual goes by the handle X and is thought to live in North Carolina in the US, although this may not be their true location.

Rustam Mirkasymov, head of cyber threat research at Group-IB Europe, said 0ktapus’s methods were nothing special, but the effort it put into planning, and pivoting across multiple victims, made the campaign a noteworthy one.

“0ktapus shows how vulnerable modern organisations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers. By making our findings public we hope that more companies will be able to take preventive steps to protect their digital assets,” he said.

More information on Group-IB’s findings, including a breakdown of indicators of compromise (IoCs), is available to read here.

This is the second major incident to have involved Okta in some way in recent months, coming after the firm was caught up in a supply chain attack when the Lapsus$ cyber extortion gang compromised a third-party, Sitel, in January 2022. There is no indication that the two incidents have any connection whatsoever.

Okta had not responded to a request for comment at the time of publishing.

Source link

0ktapus Attack Criminal firm IAM massive Phishing spoofed
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Tapping His Experience, Serial Tech Entrepreneur Launches VC Firm To Back Black Founders

July 31, 2023

The FCAs Consumer Duty, Financial Service Firm Readiness & Technology

June 4, 2023

Most Criminal Cryptocurrency Funnels Through Just 5 Exchanges

February 1, 2023

Starting A DEI Consulting Firm For His Second Act

January 30, 2023
Add A Comment

Comments are closed.

Editors Picks

RWBY: Arrowfell launches in fall 2022, new look at gameplay and mechanics

July 3, 2022

The DJI Avata is a nimble cinewhoop drone for FPV novices

October 11, 2022

Splatoon 3 gameplay is already online as street dates are broken

September 5, 2022

Kav spools up a 3D printing factory for bike helmets in Silicon Valley • DailyTech

September 15, 2022

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

Elementor #32036

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2025 behindthescreen.uk - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.