In a single phishing attempt, the hackers behind a number of recent attacks, such as those targeting Twilio, Cloudfare, MailChimp, and Klaviyo, infiltrated over 130 firms.
Through this phishing attack, 9,931 login credentials were stolen using a phishing kit with the codename "0ktapus," which the hackers then used to log into business networks and systems using VPNs and other remote access tools.
Because the primary intent of the assaults was to "get Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations," the conduct has been denounced by Group-IB.
The Singapore-based corporation said that the opponent sought out employees of businesses that use Okta, a provider of identity services, and praised the attacks for being well-planned and carried out. With the help of the identity-as-a-service (IDaaS) platform Okta, employees may access all of their company's software with just one login.
The phrases "OKTA," "HELP," "VPN," and "SSO" were used in 169 different phishing domains that supported the 0ktapus campaign.
In addition, customers who used these services, such as Signal, and DigitalOcean, became the target of supply-chain attacks as a result of these breaches.
The threat actors targeted businesses in a variety of areas, including bitcoin, technology, banking, and recruiting, based on the phishing domains built as part of this effort.
These login credentials were then utilized by the hackers to log into internal customer support systems, corporate networks, and VPNs in order to steal consumer data. As earlier witnessed with DigitalOcean and Signal, subsequent supply-chain hacks were carried out using this customer data.
The hacked information was disseminated over a Telegram channel via the phishing kit employed in this effort. One of the channel administrators who went by the handle "X" was connected by the experts to a Twitter and GitHub account, which suggests the person may be based in North Carolina, US.
Threat actors frequently targeted data belonging to organizations in the bitcoin industry, according to revelations from previous victims.
According to Group-IB, the hackers were able to steal 5,441 records with MFA codes, 3,129 data with emails, and 9,931 records with user credentials from 136 businesses, with the mass of the targeted businesses being based in the United States.
