Read Time:2 Minute, 24 Second
A few weeks ago, the threat actor who orchestrated the attacks against Twilio and Cloudflare was connected to a broader phishing scheme that targeted 136 organisations. In total, 9,931 accounts were compromised as part of this campaign.
Group-IB has slammed the hacking campaign as an attempt to obtain Okta identity credentials and two-factor authentication (2FA) codes from the organisations’ users.
The campaigns were dubbed “well-designed and well-executed” by the Singapore-based firm, which claimed that the adversary targeted employees of Okta’s client companies.
“The attackers were very active and tried to get as many victims as possible in a short period,” said Dmitry Galov, head of Group-IB’s threat intelligence team.
“We detected that the adversary was scanning the Internet for Okta subdomains, likely in an attempt to find new victims.”
According to group-IB, the threat actor used spear-phishing emails that they carefully crafted to look like they came from Okta.
The emails claimed that the recipient’s account needed to be updated and directed them to a fake Okta login page. Once the victim entered their credentials, the attacker would then use an automated bot to check if users also entered the 2FA code.
If the victims entered the 2FA code, the attacker would then be able to use the victim’s Okta account to gain access to corporate resources.
“In some cases, they were successful in stealing data from the victims’ accounts,” Galov said. “In other cases, they only managed to get 2FA codes but didn’t succeed in bypassing Okta’s security mechanisms.”
Group-IB has not named the organisations that hackers targeted in this campaign. However, many of them are likely based in the United States, given that authorities located most of the IP addresses used in the attacks in the country.
This is not the first time that the Okta hackers have struck. In February, they targeted Cloudflare with a similar phishing scheme.
A month later, they successfully breached Twilio’s systems and gained access to customer data.
At least 169 phishing domains were set up for this purpose, primarily targeting organisations in the U.S. (114), India (4), Canada (3), France (2), Sweden (2), and Australia (1). These websites used a previously undocumented phishing kit.
It’s still not clear who is behind these attacks. However, Group-IB believes they are likely part of a more comprehensive cyber-espionage campaign that a nation-state actor is carrying out.
These latest attacks show that the Okta hackers are still active and are constantly finding new ways to target their victims. Organisations need to be aware of these threats and take steps to protect themselves.
Organisations should ensure that their employees are trained to spot phishing emails and that they have a robust 2FA solution. They should also consider using a tool like Okta Verify, which makes it more difficult for attackers to bypass 2FA protections.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
