Hackers Stole Okta Login Credentials
Just recently, over 100 firms were targeted by a phishing campaign, dubbed ‘Oktapus’ and designed by the very same hackers behind a string of attacks on communication-oriented companies, including Klayvio and Twilio among the targets.
Approximately 9,931 login credentials were stolen through this campaign, which the hackers proceeded to use to log into business networks via remote access tools, VPN services being just one of the tools at their disposal.
However, this campaign has been long in the making, being active since at least March 2022, based on the findings of a Group-IB investigation. The hackers hacking assaults, aimed to obtain Okta identity credentials and 2FA tokens, were extremely successful. These credentials were used to conduct further supply chain attacks and have since resulted in a number of data breaches against entities like Mailchimp. The most successful attacks were against Twilio, and one failed attempt targeted the Cloudflare network.
Fake Okta Login Page
Not only that, but customers who used services like DigitalOcean and Signal, ended up becoming the targets of supply-chain assaults as a result of these breaches. What analysts have noticed, is that the hackers specifically targeted multi-aspect businesses, many of their areas of operation including cryptocurrency, technology, and the financial industry, based on the phishing domains built for the Oktapus campaigns.
However, the actual attack isn’t half as complicated as it seems, as it all starts with a simple SMS message that contains a link to a phishing page. This page looks identical to the Okta login page and asks the victims to submit their account information and 2FA codes. With the help of Okta, an identity service (IDaaS) platform, employees can access all of their company’s software with one login.
Hackers purportedly took advantage of this, attacking huge companies that rely on Okta, from MetroPCS, AT&T, Twitter, Binance, Epic Games, Evernote, and Best Buy, among many others.