This post was updated at 12:30 ET on Aug. 26 to include information on DoorDash being compromised.
The hackers who social-engineered Twilio and Cloudflare employees earlier in August (and breached the former) also infiltrated more than 130 other organizations in the same campaign, vacuuming up nearly 10,000 sets of Okta and two-factor authentication (2FA) credentials.
From there, they launched supply-chain attacks on downstream customers, resulting in firms like Digital Ocean and DoorDash becoming secondary victims.
That's according to an investigation from Group-IB, which found that several well-known organizations were among those targeted in a massive phishing campaign that it calls 0ktapus. The lures were simple, such as fake notifications that users needed to reset their passwords. They were sent via texts with links to static phishing sites mirroring the Okta authentication page of each specific organization.
"Despite using low-skill methods, [the group] was able to compromise a large number of well-known organizations," researchers said in a blog post today. "Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance."
Such was the case with the Twilio breach that occurred Aug. 4. The attackers were able to social-engineer several employees into handing over their Okta credentials used for single sign-on across the organization, allowing them to gain access to internal systems, applications, and customer data. The breach affected about 25 downstream organizations that use Twilio's phone verification and other services — including Signal, which issued a statement confirming that about 1,900 users could have had their phone numbers hijacked in the incident.
The majority of the 130 companies targeted were SaaS and software companies in the US — unsurprising, given the supply chain nature of the attack.
For instance, additional victims in the campaign include email marketing firms Klaviyo and Mailchimp. In both cases, the crooks made off with names, addresses, emails, and phone numbers of their cryptocurrency-related customers, including for Mailchimp customer DigitalOcean (which subsequently dropped the provider).
On Friday, DoorDash announced that it was a supply-chain victim, noting in a blog post, that the attackers obtained credentials from employees of a third-party vendor, which were then used to access DoorDash’s internal tools and systems. The adversaries then stole names, email addresses, delivery addresses and phone numbers of DoorDash customers and drivers, and some payment-card information was stolen.
In Cloudflare's case, some employees fell for the ruse, but the attack was thwarted thanks to the physical security keys issued to every employee that are required to access all internal applications.
Lior Yaari, CEO and co-founder of Grip Security, notes that the extent and cause of the breach beyond Group IB's findings are still unknown, so additional victims could come to light.
"Identifying all the users of a SaaS app is not always easy for a security team, especially those where users use their own logins and passwords," he warns. "Shadow SaaS discovery is not a simple problem, but there are solutions out there that can discover and reset user passwords for shadow SaaS.”
Time to Rethink IAM?
On the whole, the success of the campaign illustrates the trouble with relying on humans to detect social engineering, and the gaps in existing identity and access management (IAM) approaches.
"The attack demonstrates how fragile IAM is today and why the industry should think about removing the burden of logins and passwords from employees who are susceptible to social engineering and sophisticated phishing attack," Yaari says. "The best proactive remediation effort companies can make is to have users reset all their passwords, especially Okta."
The incident also points out that enterprises increasingly rely on their employees' access to mobile endpoints to be productive in the modern distributed workforce, creating a rich, new phishing ground for attackers like the 0ktapus actors, according to Richard Melick, director of threat reporting at Zimperium.
"From phishing to network threats, malicious applications to compromised devices, it's critical for enterprises to acknowledge that the mobile attack surface is the largest unprotected vector to their data and access," he wrote in an emailed statement.