惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

美团技术团队
D
DataBreaches.Net
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
D
Docker
N
Netflix TechBlog - Medium
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
C
Check Point Blog
腾讯CDC
Stack Overflow Blog
Stack Overflow Blog
V
Visual Studio Blog
IT之家
IT之家
月光博客
月光博客
U
Unit 42
K
Kaspersky official blog
T
Threatpost
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
GbyAI
GbyAI
P
Proofpoint News Feed
Last Week in AI
Last Week in AI
云风的 BLOG
云风的 BLOG
酷 壳 – CoolShell
酷 壳 – CoolShell
I
InfoQ
Engineering at Meta
Engineering at Meta
Recorded Future
Recorded Future
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
S
Security @ Cisco Blogs
MyScale Blog
MyScale Blog
大猫的无限游戏
大猫的无限游戏
Security Archives - TechRepublic
Security Archives - TechRepublic
Webroot Blog
Webroot Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Hacker News - Newest:
Hacker News - Newest: "LLM"
S
Schneier on Security
S
Secure Thoughts
The Register - Security
The Register - Security
B
Blog RSS Feed
The Last Watchdog
The Last Watchdog
P
Palo Alto Networks Blog
爱范儿
爱范儿
B
Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
N
News and Events Feed by Topic
阮一峰的网络日志
阮一峰的网络日志
L
LINUX DO - 热门话题
C
Cisco Blogs
Spread Privacy
Spread Privacy
F
Full Disclosure
博客园 - 聂微东
T
The Blog of Author Tim Ferriss

Threatpost

Student Loan Breach Exposes 2.5M Records Watering Hole Attacks Push ScanBox Keylogger Ransomware Attacks are on the Rise Cybercriminals Are Selling Access to Chinese Surveillance Cameras Twitter Whistleblower Complaint: The TL;DR Version Firewall Bug Under Active Attack Triggers CISA Warning Fake Reservation Links Prey on Weary Travelers iPhone Users Urged to Update to Patch 2 Zero-Days Google Patches Chrome’s Fifth Zero-Day of the Year
Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms
Nate Nelson · 2022-08-29 · via Threatpost

Over 130 companies tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organizations being compromised. The campaigns are tied to focused abuse of identity and access management firm Okta, which gained the threat actors the 0ktapus moniker, by researchers.

“The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organizations,” wrote Group-IB researchers in a recent report. “These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organization.”

Impacted were 114 US-based firms, with additional victims of sprinkled across 68 additional countries.

Roberto Martinez, senior threat intelligence analyst at Group-IB, said the scope of the attacks is still an unknown. “The 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time,” he said.

What the 0ktapus Hackers Wanted

The 0ktapus attackers are believed to have begun their campaign by targeting telecommunications companies in hopes of winning access to potential targets’ phone numbers.

While unsure exactly how threat actors obtained a list of phone numbers used in MFA-related attacks, one theory researchers posit is that 0ktapus attackers began their campaign targeting telecommunications companies.

“[A]ccording to the compromised data analyzed by Group-IB, the threat actors started their attacks by targeting mobile operators and telecommunications companies and could have collected the numbers from those initial attacks,” researchers wrote.

Next, attackers sent phishing links to targets via text messages. Those links led to webpages mimicking the Okta authentication page used by the target’s employer. Victims were then asked to submit Okta identity credentials in addition to a multi-factor authentication (MFA) codes employees used to secure their logins.

In an accompanying technical blog, researchers at Group-IB explain that the initial compromises of mostly software-as-a-service firms were a phase-one in a multi-pronged attack. 0ktapus’ ultimate goal was to access company mailing lists or customer-facing systems in hopes of facilitating supply-chain attacks.

In a possible related incident, within hours of Group-IB publishing its report late last week, the firm DoorDash revealed it was targeted in an attack with all the hallmarks of an 0ktapus-style attack.

Blast Radius: MFA Attacks

In a blog post DoorDash revealed; “unauthorized party used the stolen credentials of vendor employees to gain access to some of our internal tools.” The attackers, according to the post, went on to steal personal information – including names, phone numbers, email and delivery addresses – from customers and delivery people.

In the course of its campaign, the attacker compromised 5,441 MFA codes, Group-IB reported.

“Security measures such as MFA can appear secure… but it is clear that attackers can overcome them with relatively simple tools,” researchers wrote.

“This is yet another phishing attack showing how easy it is for adversaries to bypass supposedly secure multifactor authentication,” Roger Grimes, data-driven defense evangelist at KnowBe4, wrote in a statement via email. “It simply does no good to move users from easily phish-able passwords to easily phish-able MFA. It’s a lot of hard work, resources, time, and money, not to get any benefit.”

To mitigate 0ktapus-style campaigns, the researchers recommended good hygiene around URLs and passwords, and using FIDO2-compliant security keys for MFA.

“Whatever MFA someone uses,” Grimes advised, “the user should be taught about the common types of attacks that are committed against their form of MFA, how to recognize those attacks, and how to respond. We do the same when we tell users to pick passwords but don’t when we tell them to use supposedly more secure MFA.”