0ktapus Phishing Kit

Cybercriminals have managed to breach over 130 organizations as part of a string of cyberattacks. The criminal operations begin with a widespread and well-crafted phishing campaign utilizing a phishing kit named '0ktapus.' According to a report by security researchers, the threat actors were able to collect nearly 10,000 login credentials in just a couple of months. The operation is believed to have been active since at least March 2022. The goal of the 0ktapus campaign appears to have been the theft of Okta identity credentials and 2FA (two-factor authorization) codes. With the obtained confidential data, the cybercriminals aimed to carry out subsequent operations, such as supply chain attacks.

According to the report, the 0ktapus phishing kit was leveraged against companies from multiple industry sectors, including finance, crypto, technology, recruiting, telecommunication and many more. Some of the targeted companies are AT&T, T-Mobile, Verizon Wireless, Slack, Binance, CoinBase, Twitter, Microsoft, Riot Games, Epic Games, HubSpot, Best Buy and others.

The attacks begin with lure SMS messages containing a link to a phishing page. The website resembles closely the legitimate Okta login page and prompts users to provide their account credentials and 2FA codes. Okta is an IDaaS (Identity-as-a-Service) platform, which essentially means that employees can use a single login account and credentials to access all of the software assets they need within their company. The entered credentials and 2FA codes were scraped by the fake site and transmitted to a Telegram account controlled by the hackers.

Naturally, compromising the Okta credentials of the targeted employees would allow the attackers to perform a vast range of nefarious actions within the breached organizations. And they did, with the threat actors gaining access to corporate VPNs, networks, internal customer support systems, etc. The collected customer data was exploited by the cybercriminals to carry out supply-chain attacks targeting the clients of Signal and DigitalOcean.

The 0ktapus phishing campaign also has led to data breaches at major organizations, such as Twilio, Klaviyo, MailChimp and an attempted attack against Cloudflare. So far, researchers have identified 169 unique phishing domains that the threat actors created as part of the 0ktapus operation. The fabricated pages were designed to resemble the appropriate theming of each targeted company and, at a first glance, would appear to be the legitimate portals used by the victims daily. As part of the attack, the threat actors have managed to collect 9,931 credentials from the employees of 136 companies, 3,129 records with emails and a total of 5,441 records containing MFA codes.