Attackers involved in Twilio, MailChimp and Klaviyo, are also compromised more than 130 companies using the same phishing campaign.
The primary goal of the threat actors was to obtain Okta identity credentials and MFA codes from users of the targeted organizations. These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organization.
The phishing campaign used a phishing kit codenamed ‘oktapus’, due to the impersonation of a popular Identity and Access Management service, to steal approximately 10,000 credentials that the cyberattackers then used to access corporate networks and systems through VPNs and other remote access devices.
Once the attackers compromised a single organization, they were quickly able to pivot and launch subsequent supply chain attacks.
Researchers found threat actor stole 9,931 user credentials, including 3,129 records with emails and 5,441 records with MFA codes. Because two-thirds of the data didn’t contain a corporate email but only usernames and 2FA codes.
The threat actors started their attacks by targeting mobile operators and telecommunications companies and could have collected the numbers from those initial attacks. But the process for obtaining the phone numbers is still unknown
Researchers uncovered and analyzed the attackers’ phishing infrastructure, including phishing domains, the phishing kit, and the Telegram channel controlled by the threat actors to drop compromised information.
There are about 169 unique phishing domains involved in the 0ktapus campaign. The domains used keywords like SSO, VPN, OKTA, MFA, and HELP.
All victim organizations identified by researchers have been notified and provided with the list of compromised accounts. The findings about the alleged identity of the threat actor have been shared with international law enforcement agencies.
This research was done and documented by researchers from Group-IB