In 2022, a large-scale phishing campaign successfully compromised IT resources at over 130 organizations, many of which were high-profile companies. Code-named 0ktapus, the threat group behind this attack used relatively primitive hacking methods and smart planning to achieve its aims. This article analyzes the operations of 0ktapus’ threat actors and overviews some critical lessons learned about the commonplace security measures that modern businesses deploy to protect their information systems and data.

0ktapus Phishing Campaign Analysis

News of the 0ktapus campaign first emerged in August 2022 when several publications reported on a special investigation conducted by Group-IB into a recent large-scale phishing attack. The attack in question preyed on the widespread use of Okta as an identity and access management solution. Okta is marketed as an enterprise identity management solution that secures logins for both cloud and on-premise applications.

Given its widespread use, tens of thousands of users are familiar with using Okta to authenticate to the apps and services they need for their daily work. This familiarity made it relatively trivial for threat actors to craft convincing phishing web pages and URLs that emulated legitimate Okta authentication pages.

In finding suitable targets, it’s likely that basic Internet research revealed some high-profile companies using Okta for identity and access management. Okta’s own website namedrops several of their high-profile customers. Having found a suitable range of target companies, deeper research, some of which was probably conducted on LinkedIn, unearthed lists of employees working with these companies and their phone numbers. It remains unclear exactly how the threat actors found legitimate phone numbers belonging to thousands of employees.

Armed with employees and their phone numbers to target, the next step was to initiate a mass phishing campaign that combined text messages (smishing) with phishing websites that are made to look like legitimate domains. The pretext used to dupe employees into giving up their information was that the text messages apparently came from their company’s own IT department. These texts informed target users that their passwords would soon expire or that their working schedules had changed and that they needed to log in to a URL contained in the text messages.

After visiting seemingly legitimate URLs, employees first revealed their valid usernames and passwords to sites that were controlled by threat actors. The threat actors then initiated login attempts to the relevant app or service with these credentials. If a pair of username-password credentials was the only mechanism in place to protect logins, access to the target’s account was successfully obtained at this stage.

For many target user accounts, the threat actors were then met by a request for a one-time code after inputting the correct username and password. Most organizations targeted in this campaign required users to input one-time codes sent via text in order to better secure access to apps or services. After victims “logged in” with their usual credentials, the phishing sites then presented users with a second page where they would input their one-time code, as they would normally do for legitimate apps.

Since these one-time codes remain valid for a short period of time, threat actors needed to constantly monitor their phishing sites for inputted credentials and use these codes swiftly to verify their identity and log in to the legitimate business app or service that they wanted to hack. The coordination required here points to a large number of threat actors involved in the 0ktapus campaign.

0ktapus Victims and Targets

The majority of organizations impacted by 0ktabus were US-based, although there were also multiple victims in Canada, Sweden, and India. Here are some high-profile names targeted.

• Twilio: multiple employees at cloud communications platform Twilio had their accounts hacked, and threat actors gained access to customer-facing systems. Up to 125 customers had their data accessed via malicious actors compromising these customer-facing systems.
• Mailchimp: the 0ktapus campaign hit email marketing platform Mailchimp when threat actors accessed customer-facing tools by targeting accounts belonging to Mailchimp employees. One of the tools was used by Mailchimp customers for account administration (e.g., handling password resets). In an example of this campaign turning into a supply chain attack, the Mailchimp account of US cloud infrastructure company DigitalOcean was breached and several DigitalOcean customers had their accounts compromised through password reset requests. DigitalOcean then migrated away email services from Mailchimp the day after the attack.
• Cloudflare: Content delivery network and DDoS mitigation service Cloudflare was also targeted by the 0ktapus campaign. Interestingly, while some employees fell for the phishing scams, security measures implemented by Cloudflare apparently thwarted the attack. These measures included requiring employees to use physical security keys to access internal systems and the use of Cloudflare’s own SASE solution, which provides access to resources dynamically based on zero trust principles.

Is Multifactor Authentication No Longer Secure?

Many cybersecurity best practice recommendations discuss the importance of multifactor authentication to protect user logins to corporate resources from being hacked and the associated accounts from being compromised. The advice to switch on MFA for logins to business apps and services is prudent for the following three reasons:

1. The habitual reuse of weak user passwords across multiple accounts.
2. The fact that there are over 24 billion stolen user credentials available on the dark web.
3. The hybrid nature of modern workforces with employees, temporary contractors, and business partners connecting to business apps and services remotely and on-premises.

However, given the 0ktapus phishing campaign not only bypassed MFA but actively exploited it, concerns naturally emerge about its ongoing effectiveness as a security measure. The devil, though, is in the details.

It’s not the case that multifactor authentication is no longer secure. But there are various ways to implement MFA, some of which aren’t adequate for protecting user accounts from compromise.

Several companies hacked during the 0ktapus campaign used two-factor authentication, which is a type of multifactor authentication that requires users to provide two types of information to verify who they are upon logging in to a system. The implementation of MFA by victims of these attacks necessitated users to provide a username-password pair along with a one-time security code sent to their smartphone.

Herein lies the crux of the issue—one-time passwords sent to smartphones are far from the most secure way to implement MFA. The size of several companies breached during this campaign suggests they likely have dedicated IT security departments and a reasonable cybersecurity budget. So, why was this risky MFA implementation allowed to happen?

The answer probably lies in trying to achieve a delicate balance between user experience and security. Most large businesses are well-aware of the need to better secure user accounts against compromise through measures like 2FA/MFA. But they also don’t want to annoy users and impact productivity by placing burdensome requirements on logins. So, the solution they opt for is to require MFA but in a way that’s as easy and convenient as typing a code sent to a user’s smartphone.

Mitigation Tips for 0ktapus Threats

• Opt for a more secure implementation of MFA than one-time passwords. It might be best to focus on the category of information relating to something that a user is. Usually, this means using some sort of biometric verification, such as a fingerprint or retina scan.
• If biometric verification is not workable, at least consider tying one login factor to something in the user’s possession that doesn’t depend on the user inputting a code. A good example is FIDO-2 smart keys, which use public-key cryptography to hardcode a private key onto a registered user device.
• Don’t forget about the concept of defense-in-depth. Defensive mechanisms for protecting user accounts and the IT resources they can access should be layered so that the failure of one measure (e.g., MFA) doesn’t automatically result in a breach.
• Implement security solutions and platforms that come with features such as the ability to analyze email content for malicious attachments and URLs and browser-based security solutions that flag suspicious URLs pointing to fake login pages.
• Ensure that any cybersecurity training and awareness programs educate users about social engineering tactics and that this learning is continually reinforced so that users get better at pausing to consider the validity of emails, attachments, and URLs before trusting them.

We invite you to download our new report "The Business Cost of Phishing", where you can discover the true cost of phishing on organizations as well as what IT and Security professionals believe is coming next.  You can get the report at https://secure.ironscales.com/the-business-cost-of-phishing/report-download