Twilio, Cloudflare just two of 135 orgs targeted by Oktapus phishing campaign

Updated Criminals behind the cyberattack attempts on Twilio and Cloudflare earlier this month had cast a much wider net in their phishing expedition, targeting as many as 135 organizations — primarily IT, software development and cloud services providers based in the US.

The gang went after the employees of Okta customers, sending victims text messages with malicious links to sites spoofing their company's authentication page to harvest their work login credentials and multi-factor authentication codes. Because of this, Group-IB analysts named the campaign Oktapus. 

In research published Thursday, the threat intel team revealed the Oktapus phishing trip, which began in March, snaffled 9,931 user credentials and 5,441 multi-factor authentication codes. 

"The initial objective of the attackers was clear: obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations," Group-IB researchers Roberto Martinez and Rustam Mirkasymov wrote.

"With this information in hand, the attackers could gain unauthorized access to any enterprise resources the victims have access to."

The crooks then used the stolen credentials and 2FA codes to carry out several supply-chain attacks. They broke into marketing firm Klaviyo and email service Mailchimp, which then allowed the miscreants to harvest the email addresses of DigitalOcean customers to phish those folks.

And, of course, the attackers tried and failed to hit Cloudflare, and successfully got into Twilio, which then allowed them to target the users of Twilio customer Signal and gain the phone numbers and registration codes for 1,900 users of the encrypted messaging service.

Group-IB's research includes a screenshot of some of the phishing sites that mimicked Okta authentication pages, and based on that, targeted companies include AT&T, Verizon, T-Mobile and email service Mailgun.

In total, the researchers found 169 unique domains involved in Oktapus, and they noted that the phishing kit used by the attackers included a legitimate image used by sites that require Okta authentication.

• Digital Ocean dumps Mailchimp after attack leaked customer email addresses
• 1,900 Signal users exposed: Twilio attacker 'explicitly' looked for certain numbers
• Cloudflare: Someone tried to pull the Twilio phishing tactic on us too
• Twilio customer data exposed after its staffers got phished

The phishing sites, which looked very similar to the organizations' real authentication pages, asked employees to enter their username and password, and then asked them for a 2FA code. These stolen credentials were then sent to an attacker-controlled Telegram channel, and miscreants used them to access corporate data, emails and internal documents, we're told.

While most of the companies targeted can be broadly categorized as technology firms — this includes 53 software vendors, 22 telecom companies and 21 business services providers — attackers also hit organizations in finance (13), education (9), retail (7), logistics (4), video games (2), legal services (2), and power supply (2). 

"Seeing financial companies in the compromised list gives us the idea that the attackers were also trying to steal money," the researchers noted. "Furthermore, some of the targeted companies provide access to crypto assets and markets, whereas others develop investment tools."

The bulk of the targeted organizations are headquartered in the US (114), and those in other countries have US-based employees who were targeted, according to Group-IB.

However, they warned, we probably won't know the full scope of the attack for some time. ®

Updated to add

Twilio has issued an updated advisory saying that a small number of users of Authy – which is Twilio's free two-factor authentication app – were caught up in this wide-reaching campaign, based on further forensic work. Twilio also said it has identified a total of 163 customers whose data was accessed by intruders.

"Our investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users, out of a total of approximately 75 million users, and registered additional devices to their accounts," it said. "We have since identified and removed unauthorized devices from these Authy accounts."

All 93 users have been contacted, and Twilio has recommended Authy users check to see that everything checks out with their accounts and to keep an eye out for suspicious activity.