Tracking down the threat actor to someone in the USA, researchers have pointed at all the domains the hacker has used in his campaign and how they managed to breach them all. Overall, they noted about 9,931 login credentials being compromised and used for hijacking the companies.
With One Sophisticated Phishing Kit
Group-IB researchers have detailed the modus operandi of a threat actor who was behind the attacks of Twilio, Klaviyo, MailChimp, and an attempt against Cloudflare. While they didn’t name them as any, they pointed at a sophisticated phishing kit codenamed ‘0ktapus‘ in their campaign – which started in March this year. They aim specifically at stealing the Okta credentials and its 2FA codes for further attacks. For unaware, Okta is an identity-as-a-service (IDaaS) platform used mostly by employees for a simple login to access all the software assets of their company. They start by sending a carefully crafted SMS to their target, which contains the subject and an external link for their phishing website. These sites are crafted carefully to match perfectly with the original company’s sites and seem like an everyday experience for the targets. And when they enter their Okta credentials and the concerned 2FA codes, these are transmitted to a private Telegram channel – probably handled by the threat actors. Retrieving them, they use these details to access the target-turned-victim’s corporate account to steal more sensitive data. This way, they accessed the data from Twilio, Klaviyo, and MailChimp. And indirectly, they have also breached DigitalOcean and Signal too, for these being the customers of the above-compromised companies. Overall, the threat actor has stolen 9,931 user credentials from 136 companies, 3,129 records with emails, and 5,441 records with MFA codes in their campaign. The majority of the companies targeted were in the US, with some notables being T-Mobile, MetroPCS, Verizon Wireless, AT&T, Slack, Twitter, Binance, KuCoin, CoinBase, Microsoft, Epic Games, Riot Games, Evernote, AT&T, HubSpot, TTEC, and Best Buy. Tracking back through the Telegram account involved in this campaign, researchers spotted the location of this user – named “X” – in North Carolina, US. Though they have more information on the threat actor to share, they reserved it for law enforcement agencies to work on.