UPDATED 21:00 EDT / AUGUST 25 2022


Twilio and Cloudflare hackers have now breached 130 organizations

The same hacking group that successfully breached Twilio Inc. and attempted to breach Cloudflare Inc. earlier this month is now believed to have breached more than 130 organizations in the same phishing campaign.

As detailed today by researchers at Group-IB Global Pvt. Ltd., the phishing campaign, codenamed “0ktapus” after its impersonation of identity and access management service Okta Inc., has resulted in an estimated 9,931 breached accounts in organizations primarily in the U.S. that use Okta’s IAM services. Okta had been previously targeted by the Lapsus$ hacking group in March.

Those behind 0ktapus then used the data stolen from Okta in March to carry out subsequent supply chain attacks. Along with Twilio and Cloudflare, other companies believed to have been targeted by the 0ktapus campaign include Mailchimp and DigitalOcean Holdings Inc. The hack of Twilio also exposed data from the encrypted messaging app Signal.

Bleeping Computer reported that other victims may include T-Mobile US Inc., MetroPCS, Verizon Wireless Inc., AT&T Inc., Slack Inc., Twitter Inc., Binance Holdings Ltd., KuCoin, Coinbase Inc., Microsoft Corp., Epic Games Inc., Riot Games Inc., Evernote Corp., HubSpot Inc., TTEC Holding Inc. and Best Buy Co. Inc.

According to Group-IB, the attacker’s initial objective was to obtain Okta identity credentials and two-factor authentication codes from users of the targeted organizations. With this information, the attackers could gain unauthorized access to any enterprise resources the victims had access to.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” wrote Rustam Mirkasymov, head of cyber threat research at Group-IB (Europe). “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

In an interesting twist, the Group-IB researchers were able to link at least one member of the group behind 0ktapus to a Twitter and GitHub account that suggests that the individual may be based in North Carolina.

The motivation behind the attacks remains unclear, with the researchers saying that espionage or financial gain are the two main possibilities.

“The Twilio and [attempted] Cloudflare breaches demonstrate the rise in phishing attacks to successfully harvest credentials at the start of the attack chain to perpetrate a breach,” Patrick Harr, chief executive officer of anti-phishing company SlashNext Inc., told SiliconANGLE. “These attacks were well planned and executed.”

Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., commented that this is yet another phishing attack showing how easy it is for adversaries to bypass supposedly secure multifactor authentication. “Many cybersecurity leaders and organizations are touting the fake fact that MFA stops 99% of all hacking attacks,” he said. “It doesn’t. It never will.”

Lior Yaari, CEO of cybersecurity startup Grip Security Ltd., also noted that the attack demonstrates how fragile identity and access management are. “The industry should think about removing the burden of logins and passwords from employees who are susceptible to social engineering and sophisticated phishing attacks,” Yaari said. “The best proactive remediation effort companies can make is to have users reset all their passwords, especially Okta, because the extent and cause of the breach are still unknown.”

Photo: Morten Brekkevold/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy