The threat actor behind the attacks on Twilio and Cloudflare earlier this month has been linked to a broader phishing campaign aimed at 136 organizations that resulted in a cumulative compromise of 9,931 accounts.
The activity has been condemned 0ktapus by Group-IB because the initial goal of the attacks was to "obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations."
Calling the attacks well designed and executed, the Singapore-headquartered company said the adversary singled out employees of companies that are customers of identity services provider Okta.
The modus operandi involved sending targets text messages containing links to phishing sites that impersonated the Okta authentication page of the respective targeted entities.
"This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations," Group-IB said. "Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance."
At least 169 unique phishing domains are said to have been set up for this purpose, with victim organizations primarily located in the U.S. (114), India (4), Canada (3), France (2), Sweden (2), and Australia (1), among others. ..
Support the originator by clicking the read the rest link below.
