Researchers say a mysterious ‘threat actor’ (a fancy term for a hacker or group of hackers) managed to steal nearly 10,000 login credentials from employees of 130 organizations, in the latest major attack. scale of the supply chain against American companies. It started with identity verification and password management tool Okta, according to the report released Thursday. The hacking campaign could have gone on for months.
The news comes from research by cybersecurity firm Group-IB, which began looking into the hacking campaign after a customer was phished and asked for help. The research shows that the threat actor behind the campaign, which researchers have dubbed “0ktapus”, used grassroots tactics to target personnel from many well-known companies. The hacker(s) would use stolen login credentials to gain access to corporate networks before stealing data and then breaking into another company’s network. Many of the victims are prominent software vendors, including companies like Twilio, MailChimp, Cloudflare, and others. Some 125 Twilio companies using Twilio had their data compromised.
“This case is interesting because despite using low-skilled methods, it was able to compromise a large number of well-known organizations,” the researchers wrote on their blog on Thursday. “Furthermore, once attackers compromised an organization, they were able to quickly pivot and launch subsequent supply chain attacks, indicating that the attack had been carefully planned in advance.”
How the hack campaign worked
Unfortunately, this is not a totally unknown story. The past few years have been tough enough for enterprise cybersecurity, tough enough to inspire the question: Are blue-chip tech companies totally clueless at protecting themselves, or do hackers keep getting lucky, or do of them ? This isn’t even the first time Okta has been hacked this year. Although we can’t say for sure anyway, what is It’s clear that the “0ktapus” campaign, like many other recent hacking episodes, was remarkably successful in compromising a wide range of corporate networks using basic intrusion techniques.
The researchers say the hackers used a fairly standard tool, a phishing toolkit, to target employees of companies they wanted to breach. These kits are prepackaged hacking tools that can be purchased – usually at fairly low prices – on the dark web. In this case, hackers first targeted companies that used Okta, the identity and access management company that provides single sign-on services to platforms across the web. Using the toolkit, the threat actor sent phishing text messages to victims designed to look like the identity authentication pages provided by Okta. Thinking they were going through a normal security procedure, victims would enter their information, including username, password, and multi-factor authentication code.
After entering this information, the data was then secretly routed to a Telegram account controlled by the cybercriminals. From there, the threat actor could use Okta’s credentials to log into the organizations the victims worked for. Network access was then abused to steal corporate data and engage in more sophisticated supply chain attacks that targeted the larger corporate ecosystems of which the companies were a part.
It’s unclear exactly how the hacker(s) would have initially gained access to the phone numbers of the staff members they targeted, although this information can sometimes be extracted from previous data breaches or purchased on the dark web.
Who is behind the hacking campaign?
Group-IB researchers believe they have in fact discovered the identity of someone potentially linked to the phishing campaign. Using Group-IB’s own proprietary tools, researchers were able to track down Twitter and Github accounts that may be linked to a hacker associated with the campaign. This person goes by the username “X” and is known to be active on Telegram channels commonly used by cybercriminals. Researchers said both accounts share the same username and profile picture, and both also claim the user is a 22-year-old software developer. The Github account suggests the user is based in North Carolina, the researchers write.
Group-IB has not released the identity of Subject X, although it has provided additional analysis of the tactics and techniques used in the hacking campaign. Contextual clues uncovered during the investigation “may indicate that the attacker is inexperienced,” the researchers write, although they also note that the campaign manager did a reasonably good job of targeting his targets. The report states:
“While it is possible that the threat actor was lucky in their attacks, it is much more likely that they carefully crafted their attacks in order to launch the sophisticated supply chain attacks described above. It is not yet clear if the attacks were planned from start to finish in advance or if opportunistic actions were taken at every stage. Regardless, it is clear that the attack was incredibly successful and the scale of the attack may not be known for some time.
You don’t have to be a seasoned cybercriminal to use a phishing toolkit. Indeed, the way the cybercrime economy is structured today allows even the most technically inexperienced Internet user to equip themselves with powerful hacking tools that can cause a lot of damage. It’s unfortunate, but if you want to buy a cyber weapon that can take down a website or steal someone’s MFA codes, all you usually need is a VPN, some crypto, and a lack of scruples.
Signal and other hacks
Although we do not know who is responsible for this phishing campaign, what is clear is that they have created a mess. The terrible thing about supply chain attacks is that they tend to have a cascading effect. Because of the way the software industry is structured today (think: a network of enterprise systems, in which each technology company outsources some or most of the IT processes to another company), a intrusion into one business can sometimes cause problems for dozens (or hundreds) of others. Case in point: we’re now seeing a slow trickle of companies announcing data breaches related to this hacking episode, and it’s unlikely to be over.
More recently, food delivery app DoorDash announced on Thursday that a data breach had occurred. In a blog post, the company noted that cybercriminals managed to phish one of its third-party vendors, potentially exposing certain corporate information, as well as customer information – including names, email addresses , shipping addresses and phone numbers for an undisclosed amount. app users.
Meanwhile, the hack of Twilio – a widely used communications provider – has sparked security concerns for a host of companies that use its services. Twilio admitted that the data of as many as 125 customers was potentially exposed by the incident. More importantly, the hack created a security hole in the Signal encrypted chat app. Signal, which uses Twilio for phone number verification services, saw some 1,900 partially affected user accounts — a pretty unfortunate turn of events for a company that prides itself on securing user data. It appears that the threat actor was trying to access Signal conversations and user data, although Signal stressed that message history and other sensitive information were not affected by the incident. .
At the same time, other companies such as newsletter provider MailChimp, which was hacked in April, appear to have been exploited for user information associated with cryptocurrency businesses. In theory, this information could be used to target crypto users with additional phishing scams.
Given the number of companies caught up in this debacle, it’s unlikely this will be the last we’ll hear about the hacking campaign, which Group-IB seemed to acknowledge in its article on Thursday. “In line with Group-IB’s mission to fight cybercrime, we will continue to explore the methods, tools and tactics used by these phishing actors,” the researchers wrote. “We will also continue to inform and warn targeted organizations around the world.”