0ktapus Phishing Attack Targeted 130 Organizations (Twilio, Slack, Verizon)

Don't Be the Next Headline.
Download the free ebook and see proven strategies to prevent a data breach from real-world examples.
Graphic of the scanning app

A group known as “0ktapus” (also known as "Scatter Swine") targeted over 130 organizations in recent phishing attacks.  The targeted list include Twilio, Signal, Slack, T-Mobile, Verizon, Cloudflare, and many other well known companies.

Cloudflare documented the mechanics of the attack on their blog earlier this month.  Though Cloudflare went into great detail on how the attacks took place, here is a summary of how the 0ktapus phishing attacks occurred:

  1. Attackers registered an official-looking domain to function as a phishing site.
  2. In Cloudflare’s case, it was cloudflare-okta.com.
  3. Attackers sent SMS messages to employees of the targeted organization.
  4. The SMS messages linked to the newly created domain.
  5. The new domain asked users to log in, performing its phishing function.
  6. Captured credentials were used by the attackers to log in to official company pages.
  7. This triggered a 2FA alert to go to users who would then input the generated code into the fake website.
  8. Attackers used real code to log in to the real company system, compromising 2FA.
  9. Attackers gained access to internal systems.
okatpus phishing attack steps

(Image by Ravie Lakshmanan via TheHackerNews.comOkta Hackers Behind Twilio and Cloudflare Attacks Hit Over 130 Organizations)

According to many security experts, this is one of the most sophisticated forms of phishing campaigns seen in recent memory.  What makes this campaign so advanced comes down to how quickly it was executed and the large number of targeted organizations.  Let’s discuss each of these in a little more detail.

First, how quickly the attacks took place.  According to Cloudflare, there was less than an hour from the time the domain was registered to when employees were receiving text messages.  This means the attacks were well planned, with an official-looking website developed in advance.  Automated tools must have been used to establish and get the website online so quickly.  The attacker also had targeted intelligence of employee phone numbers.  It is still unclear how this information was acquired but this data may have come from an early Twilio breach which compromised data for Twilio customers.

Second, the large number of targeted organizations.  Many security experts agree that the motivation for the attacks was financial.  The attacker was going after a large number of companies, most likely based on information from the previous Twilio breach.  This is the latest demonstration of how organizations must now be aware of their vendor's security and when the vendors they use have had a breach.

How do you protect yourself?

This type of phishing attack is becoming more and more frequent, as we have seen with the recent Uber and GTA6 breaches.  So it is more important than ever to understand that the weakest link in security is our users.  We are all human, and we make mistakes, which is why security is done in layers with multiple types of controls and processes, such as the following.

Use 2FA, the go-to solution security experts have highlighted to minimize the risk of security breaches.  But as we have seen, attackers have found clever ways around this.  So user education and quick reaction to suspicious reports by users is critical to keeping the organization secure.  Cloudflare also implemented an additional layer of protection, requiring a physical device as part of their MFA solution. This protected them from this attack.

Implement the concept of least privilege, a concept that has been around for decades.  This is where users are granted only the minimum permissions they need to perform their job duties.  Thus, when user accounts are compromised, the damage which can be done is limited.

Finally, ensure that sensitive data is not stored in places where it shouldn't be. To help with this, consider checking out Soteri’s Scanning via REST API.  Soteri is a tool which can be used to look for sensitive data via external API.  Soteri can help detect credentials stored in unique locations where they should not be stored, and notify the security team when detected.  This is an important part of any security program which ensures that sensitive data is kept secure.