At a glance.
- Oktapus criminal campaign compromises 9931 accounts in more than 130 organizations.
- Exotic Lily and Bumblebee Loader.
- Insights from DNS traffic.
- US Department of Homeland Security shutters its Disinformation Governance Board.
- Ukrainian and Russian cyber operations at six months.
Oktapus criminal campaign compromises 9931 accounts in more than 130 organizations.
Group-IB reports that phishing attacks against employees of Twilio and Cloudflare that impersonated Okta's Identity and Access Management services formed part of a campaign that compromised 9931 accounts in more than one-hundred-thirty organizations. Most of the victims were in the United States, and were Okta users. "The initial objective of the attackers was clear: obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations," Group-IB explained. "With this information in hand, the attackers could gain unauthorized access to any enterprise resources the victims have access to." The attacker showed a mixture of sophistication and inexperience, making extensive use of simple, commodity tools in a convincing way, but with static pages and a phishing kit ill-configured for mobile devices.
The campaign appears to have been designed for supply chain attacks, with three notable successes:
- "Marketing firm Klaviyo was breached and personal information connected to cryptocurrency-related accounts, reportedly including names, addresses, emails, and phone numbers, was stolen. This information could be used in order to steal cryptocurrency."
- "Email platform Mailchimp was breached to gain access to data from crypto-related companies and disrupt operations. Mailchimp was used by technology firm DigitalOcean to send confirmation emails, password resets, email-based alerts. By initiating and redirecting password resets the customers of DigitalOcean could have been compromised."
- "Phone number verification provider Twilio was breached, which allowed the attacker to attempt to re-register Signal accounts to new mobile devices."
The researchers developed some information on the threat actor behind what appears to be a criminally motivated operation. "Subject X," as Group-IB calls him, is thought to be a 22-year-old software developer working from the US state of North Carolina. Group-IB has shared what it knows with law enforcement.