Security and privacy researchers revealed that a hacker has managed to steal around 10,000 login credentials from the employees of 130 organizations.
The sophisticated attack used simple phishing kits that exposed the employees' credentials.
Hacker Target 130 Organizations
On Thursday, Aug. 25, The Verge reported that the hacker responsible for several cyberattacks, including Twilio, MailChimp, and Klaviyo, had compromised over 130 organizations in the same phishing campaign.
The hacker, nicknamed 0ktapus, utilized a phishing kit to steal nearly 10,000 login credentials. The hacker then used the stolen data to gain access to corporate networks and systems through VPNs and other remote access devices.
According to a Group-IB report, the 0ktapus campaign has been underway since March 2022, aiming to steal identity credentials and 2FA codes and use them to carry out supply chain attacks on its targets.
The attacks were successful, leading to a series of reported data breaches at Klaviyo, Twilio, and MailChimp.
In addition, the breaches also led to supply-chain attacks on customers using these services, such as DigitalOcean and Signal.
Based on the phishing domains created in the phishing campaign, the hacker targeted companies in multiple industries, including technology, finance, cryptocurrency, and recruiting.
Targeted companies include MetroPCS, T-Mobile, Verizon Wireless, Slack, AT&T, Twitter, Binance, CoinBase, KuCoin, Microsoft, Riot Games, Epic Games, Evernote, HubSpot, AT&T, Best Buy, and TTEC.
Also Read: LinkedIn Job-Hunting? Beware of Phishing Scams as It Surges to 232% Since Feb. 1 | How to Avoid
How the Attack Began
According to Gizmodo, the attack begins with an SMS message and a link to a phishing page impersonating an Okta login page where victims are asked to enter their credentials and the 2FA codes.
Okta is an identity-as-a-service or IDaaS platform enabling users to use just one login to access all software assets in their respective companies.
Security researchers discovered a total of 169 unique phishing domains supporting the 0ktapus campaign, using the keywords "OKTA," "VPN," "HELP," and "SSO."
These sites feature the specific theming of the target companies, so they appear like genuine portals that employees are used to seeing in their daily login procedure.
When employees enter their credentials and 2FA codes, the sites forward them to a private Telegram channel where the hacker can retrieve them.
The hacker used login credentials to access corporate VPNs, networks, and support systems to steal data. The hacker will then use the stolen data to perform supply-chain attacks.
Based on the disclosures of the past victims of the phishing scam, the hacker targeted data belonging to companies in the cryptocurrency industry.
Group-IB says that the hacker managed to steal around 10,000 user credentials from a total of 130 companies, 3,129 records with emails, and 5,441 records with MFA codes, with the majority of the compromised companies located in the US.
Out of all the hacked organizations, half belong to the telecom and software sector, while finance, education, business services, and retail also had significant shares.
Identity of the Hacker
Group-IB's investigators found the admin account of the Telegram channel used for account data exfiltration.
The threat intelligence firm tracked the user's activity and found that in 2018, the user named "X" posted something pointing to their personal Twitter account.
From there, the analysts found a GitHub account linked to the hacker, who used the name "Subject X." Group-IB says that the GitHub account linked to the Twitter account had a location in North Carolina, United States.
Group-IB claims to have more information about the hacker's identity but would forward it to law enforcement instead.
Related Article: New Gmail Phishing Scam Making Rounds: Don't Fall For This Attachment
This article is owned by Tech Times
Written by Sophie Webster
