Skip to main content
close search
site logo
Dive Brief

Almost 10K credentials compromised in phishing spree that ensnared Twilio, Mailchimp

Attackers targeted Okta identity credentials and two-factor authentication in the campaign dubbed Oktapus.

Published Aug. 26, 2022
Naomi Eide's headshot
Managing Editor
An octopus floats, depicted in a deep blue background
TheSP4N1SH via Getty Images

Dive Brief:

  • The threat actors behind the Twilio and Cloudflare breaches launched phishing attacks targeting 169 unique domains in a campaign researchers dubbed Oktapus, Singapore-based cybersecurity provider Group-IB said Thursday
  • Attackers used text message phishing to steal Okta identity credentials and two-factor authentication codes, the researchers said. If successful, attackers could leverage the credential data to access the target's enterprise environment. Okta did not respond to requests for comment. 
  • Since the Oktapus attacks began in March, threat actors have compromised more than almost 10,000 user credentials across 136 organizations, Group-IB said. The vast majority of the victims were U.S.-based and provided IT, software development or cloud services. 

Dive Insight:

Once the threat actors gained access, they quickly launched additional supply chain attacks, a case seen when secure messaging platform Signal was caught in Twilio's compromise. Signal was one of Twilio's 125 breached customers and the fallout spread to 1,900 Signal users. 

In many cases, the attackers used users' customer-facing systems or mailing lists to launch supply chain attacks, Group-IB said. 

Mailchimp was also ensnared in the phishing scheme, causing a breach at DigitalOcean

The phishing site spoofed a standard authentication page, prompting a target to enter their username and password. A subsequent page depicted a request for the 2FA code and once it was in hand, a copy of the remote administration tool AnyDesk was downloaded, Group-IB said.

For a successful attack, the threat actors had to constantly monitor their tools and move quickly to exploit, researchers said. A static page, threat actors could not interact with the victims in real time and had to move to gain access before 2FA codes expired. 

While damaging, the phishing attack could have been worse, according to researchers. While researchers do not know the motivations of the attack, or why threat actors pushed AnyDesk.exe to the victim's assets, they said the "attacker didn’t configure the phishing kit properly in order to target mobile devices. That may indicate that the attacker is inexperienced."

If, in theory, attacks had sent phishing emails instead, victims would have downloaded the remote administration tools to their computers, Roberto Martinez, Sr. threat intelligence analyst, Group-IB, Europe, said via email. Through social engineering, attacks could have tricked victims to run the tool and gain control of their computer. 

But after gaining enough media attention, the campaign stopped, Martinez said. "We don’t know the real extent of the attacks and how many organizations actually got compromised. We only know of those that publicly reported it," he said. "Maybe if companies that may have got breached earlier in the campaign disclosed it, the campaign could have been shorter than it was.”

Filed Under: Breaches

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell