Two weeks ago, Twilio and Cloudflare detailed a phishing attack so methodical and well-orchestrated that it tricked employees from both companies into revealing their account credentials. In the case of Twilio, the attack overrode its 2FA protection and gave the threat actors access to its internal systems. Now, researchers have unearthed evidence the attacks were part of a massive phishing campaign that netted almost 10,000 account credentials belonging to 130 organizations.
Based on the revelations provided by Twilio and Cloudflare, it was already clear that the phishing attacks were executed with almost surgical precision and planning. Somehow, the threat actor had obtained private phone numbers of employees and, in some cases, their family members. The attackers then sent text messages that urged the employees to log in to what appeared to be their employers’ legitimate authentication page.
In 40 minutes, 76 Cloudflare employees received the text message, which included a domain name registered only 40 minutes earlier, thwarting safeguards the company has in place to detect sites that spoof its name. The phishers also used a proxy site to perform hijacks in real time, a method that allowed them to capture the one-time passcodes Twilio used in its 2FA verifications and enter them into the real site. Almost immediately, the threat actor used its access to Twilio’s network to obtain phone numbers belonging to 1,900 users of the Signal Messenger.
Unprecedented scale and reach
A report security firm Group-IB published on Thursday said an investigation it performed on behalf of a customer revealed a much larger campaign. Dubbed “0ktapus,” it has used the same techniques over the past six months to target 130 organizations and successfully phish 9,931 credentials. The threat actor behind the attacks amassed no fewer than 169 unique Internet domains to snare its targets. The sites, which included keywords such as “SSO,” “VPN,” “MFA,” and “HELP” in their domain names, were all created using the same previously unknown phishing kit.
“The investigation revealed that these phishing attacks as well as the incidents at Twilio and Cloudflare were links in a chain—a simple yet very effective single phishing campaign unprecedented in scale and reach that has been active since at least March 2022,” Group-IB researchers wrote. “As Signal disclosures showed, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks.”
While the threat actor may have been lucky in their attacks it is far more likely that they carefully planned their phishing campaign to launch sophisticated supply chain attacks. It is not yet clear if the attacks were planned end-to-end in advance or whether opportunistic actions were taken at each stage. Regardless, the 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time.
Group-IB didn’t identify any of the compromised companies except to say that at least 114 of them are located or have a presence in the US. Most of the targets provide IT, software development, and cloud services. Okta on Thursday revealed in a post that it was among the victims.
The phishing kit led investigators to a Telegram channel that the threat actors used to bypass 2FA protections that rely on one-time passwords. When a target entered a username and password into the fake site, that information was immediately relayed over the channel to the threat actor, which would then enter it into the real site. The fake site would then instruct the target to enter the one-time authentication code. When the target complied, the code would be sent to the attacker, allowing the attacker to enter it into the real site before the code expired.
Group-IB’s investigation uncovered details about one of the channel administrators who uses the handle X. Following that trail led to a Twitter and GitHub account the researchers believe is owned by the same person. A user profile appears to show that the person resides in North Carolina.
Despite this potential slip-up, the campaign was already one of the most well-executed ever. The fact that it was performed at scale over six months, Group-IB said, makes it all the more formidable.
“The methods used by this threat actor are not special, but the planning and how it pivoted from one company to another makes the campaign worth looking into,” Thursday’s report concluded. “0ktapus shows how vulnerable modern organizations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers.”
Author: Dan Goodin