What is 0ktapus? The ongoing campaign targeting customers of IAM giant, Okta
Sep 6, 2022
Sep 6, 2022
0ktapus demonstrates the effectiveness of threat actors to compromise SaaS with global-scale attacks and persist within the SaaS attack surface—expanding conquest via Okta SWA credentials.
Josh Mayfield
VP Product Marketing
This webinar will cover:
Bottom-line, upfront
On August 25, 2022, threat intelligence researchers from Group-IB attributed a recent SaaS attack campaign, codenamed 0ktapus. The 0ktapus campaign has been implicated in highly publicized SaaS breaches, such as those reported by Twilio and Cloudflare. Group-IB reported observations of several well-known organizations targeted in this massive phishing campaign, including Signal—the end-to-end encrypted messaging service.
The attackers have a clear objective: get Okta identity credentials and multifactor authentication (MFA) codes from targeted organizations, thereby giving threat actors entrée to the victim’s global SaaS attack surface. With Okta credentials and MFA codes in hand, an attacker has access to all the enterprise resources Okta is authorized to access—Salesforce, Workday, Microsoft 365, Google Workspace, AWS, NetSuite and thousands of others via stolen Okta Secure Web Access (SWA) credentials.
Worldwide, over 14,000 organizations utilize Okta for identity and access management (IAM). We can confidently say that these organizations (and their SaaS attack surfaces) are entangled in a global-scale attack—not based on industry, company size, tax status, geolocation, or other business-defining attributes. No, they are being targeted based on their technology and user profiles.
Why 0ktapus?
When asked why he robbed banks, Willie Sutton answered: Because that’s where the money is. In the race to gain malicious access, an identity provider is the biggest bank of them all.
According to Group-IB, 0ktapus targets organizations using Okta identity for services like single sign-on (SSO), multifactor authentication (MFA/2FA), cloud directory services, and customer identity management. So why would a threat campaign be so effective against Okta identity customers?
First, 0ktapus is an example of a global-scale attack, where a specific technology attribute in the organization’s profile is the basis of the campaign—just like the global-scale attacks against cloud infrastructure in 2021 compromising Microsoft Exchange and SolarWinds. Organizations are not being targeted for who they are, but for what tech they have.
Second, 0ktapus is an example of an opportunistic attack, where threat actors compromise a concentrated hub with access to previously unknown environments, creating opportunity for persistence and escalated access within the SaaS attack surface. This is like threat actors embedding a payload within a patch or software update, thereby spreading to new environments (and organizations) previously unknown and inaccessible to the threat actor (e.g., SolarWinds SUNBURST).
Third, 0ktapus is an example of the sharing economy in cybercrime, where threat actors distribute intelligence, techniques, infrastructure, aid, and quasi-tech support for easily available tools and target profiles. End-to-end encryption platforms and apps, like Telegram and Signal, along with unsanctioned infrastructure like Bulletproof Hosting, are used like convention expos and bazaars for enabling criminal exchanges.
For a moment, try to see it from the attacker’s perspective—you have technical profiles for organizations using a concentrated hub (Okta), you know disguising the attack within an update or security best practice gets more clicks, and you can lease your access or sell it outright to a worldwide network of unscrupulous buyers outside the reach of authorities with total anonymity. And who knows? Once you get inside, you can spread throughout the SaaS attack surface, including harvesting credentials for the thousands of apps authenticating with simple username and password using Okta SWA.
Now can you see it? The opportunity is irresistible. And opportunistic, global-scale attacks have happened before, but a couple layers below SaaS, namely cloud infrastructure (IaaS) and platforms (PaaS). What makes 0ktapus significant is how it targets identity and access management, itself—along with each organization’s SaaS estate now under threat.
“Once the attackers compromised an organization, they were quickly able to pivot and launch subsequent [SaaS] attacks, indicating that the attack was planned carefully in advance.” Group-IB, August 2022
How 0ktapus works – the adversary journey
As reported by Twilio and Cloudflare, attackers are targeting employees at thousands of companies who are customers of IAM leader Okta. Employees receive a text message, disguised with keywords and common SMS format structures, with links to phishing sites posing as the Okta authentication page of their organization.
As of August 25, 2022, at least 169 unique domains were involved with the 0ktapus campaign, according to Group-IB researchers. In the case of 0ktapus, researchers discovered the same phishing kits with the same image used throughout other malicious infrastructure. Using the hash value of the image, it is possible to retrieve a unique list of related domains operating the same phishing kits—thereby fingerprinting adversary-threat infrastructure with high confidence as 0ktapus.
There is an 8-part sequence of the 0ktapus phishing campaign and a clear objective to gain access to corporate services via Okta identity. Once the initial compromise is successful, the attacker can persist within the SaaS attack surface with authorized access via Okta credentials. Additionally, threat actors can move within the SaaS supply chain to disrupt, deny, degrade, and destroy SaaS critical to the operation of targeted companies.
In the case of Signal, a well-known victim of the 0ktapus campaign, its compromise stemmed from an 0ktapus target upstream in the SaaS supply chain, Twilio. Twilio, who provides phone number verification services, notified Signal that Twilio had suffered a phishing attack via fraudulent SMS messages. According to Signal, the investigation uncovered a window of opportunity for the attack and the techniques we covered above.
Twilio’s customer support console had been breached via the 0ktapus phishing campaign—leading to the compromise of approximately 1,900 users, including disclosing the SMS codes used to register with Signal.
While the attacker was accessing Twilio’s customer support systems, adversaries could register exposed phone numbers to new devices for Signal services by using the stolen SMS verification code.
There is evidence that this attack was successful, given Signal users reporting accounts as re-registered without their knowledge.
Twilio notified Signal that the attack had been mitigated and shutdown.
The investigation and incident response for these two specific organizations is ongoing.
As of August 2022, more than 130 organizations were compromised via Twilio’s initial compromise by the 0ktapus campaign. The majority of 0ktapus victims have been technology providers with significant interconnectedness and dependency with thousands of other technologies and SaaS services.
What has 0ktapus compromised, so far?
To-date, roughly 10,000 user credentials have been stolen or compromised, including duplicate passwords used for hundreds of SaaS services per user. Additionally, more than 5,000 MFA codes were compromised by 0ktapus and 136 unique email domains—paired to Okta identity—have been compromised.
Aside from the technologies and infrastructure compromised, Group-IB reported analysis on 0ktapus activity since March 2022 and found that most targeted companies are in the USA, and non-US companies with US-based employees.
Because more than 65 percent of forensic data did not include a corporate email—only usernames and MFA codes could be deduced—most companies and their security teams simply do not know if or when 0ktapus may have breached their SaaS attack surface.
While it is uncertain how 0ktapus obtained phone numbers to launch their global-scale smishing campaign, there are traces of 0ktapus’s fingerprints (i.e., kits, tools, infrastructure) in connection to mobile and telecommunications companies attacks in 2022. Researchers suggest these attacks exposed and compromised phone numbers—along with logs available from SaaS-based integrated telecom providers, like Twilio and Cloudflare. According to Group-IB, “Chances are, some phone numbers may have been obtained from those initial attacks”.
Not all 136 0ktapus victims can be identified, but of those Okta customers compromised, most were IT service providers, software firms, and cloud service providers—enough to create systemic SaaS risk with these technologies and services providing a channel to compromise the full SaaS estate in a global-scale attack.
And recent disclosures give us some indication of the motivations and goals behind 0ktapus.
Email platform Mailchimp was breached to gain access to data from crypto-related companies and disrupt operations.
Mailchimp was used by the technology company, DigitalOcean, for password resets, email confirmation, and other email-related communication to users and their organizations. By redirecting password resets, 0ktapus could have compromised DigitalOcean customers and their cloud environments.
Phone verification provider, Twilio, was breached and 0ktapus-connected threat actors compromised Twilio’s customer support systems (SaaS) to gain access to customers like Signal, to re-register mobile accounts.
Whether these sophisticated attacks were planned-as-executed from start to finish is unknown. However, what is clear from the evidence so far, 0ktapus has had outsized success beyond the initial smishing tactics and techniques, enabling 0ktapus to infiltrate user-SaaS relationships and exploit victims by disguising malicious intent with security best practices—like when a user is prompted to reset 2FA only hours after a reminder from their security team to take 2FA seriously.
Regardless of how much of the attack was planned in advance, it is clear that the 0ktapus campaign has been effective and the full scale of 0ktapus’s attacks may not be known for months or years.
What to do about 0ktapus?
What does all this mean for security teams? For starters, it is now clear that 0ktapus knows more about the SaaS attack surface than their victims. Furthermore, 0ktapus has uncovered some of the evolving opportunism we see from threat actors, namely, identifying and targeting organizations based on technologies they use and provide to others, without as much consideration for industries or other features like size or location of the company being targeted.
So, for companies using Okta for identity and access management, that is the only thing you need to become a target of the 0ktapus campaign. Once successful, threat actors can compromise the global SaaS attack surface—whether through fraudulent authorization to Okta for SSO/SAML access to corporate resources or by exfiltrating credentials from Okta SWA.
In the wake of the 0ktapus attack on Twilio, Grip Security advised customers to protect against these potential attacks in three steps:
Discover users of the compromised SaaS. The discovery should include all current employees, including former employees with zombie accounts and/or dangling access to SaaS services. Discovery is a foundational element of SaaS security, but it is not always easy—especially when 60-70 percent of the SaaS estate is accessed outside of IT controls, like Okta or other identity providers.
Rotate strong passwords for non-SSO SaaS. Stolen credentials can be used to take control of accounts and access sensitive data. With the rise of business-led SaaS and IT strategy, there is an alarming proportion of SaaS that lives outside of IT control or security support. The best defense against identity-based attacks is with identity-based SaaS security—infusing users with protections and safeguards they carry to SaaS apps, known and unknown.
Enable one-click, strong authentication or SSO. Often, SSO enables users to securely authenticate with multiple applications and allows IT admins centrally control access to SaaS applications. However, SSO usually requires increased license costs, and it requires some work by IT for integration. Depending on the number of user-SaaS relationships, it may be impractical with the increased cost and impracticable to add hundreds of SaaS to SSO—when the juice is just not worth the squeeze.
Ultimately, the goal for every security leader and team is to produce secure outcomes for the organization. While it may be challenging to curtail risk in user-SaaS relationships managed by business groups, it can be realized without interfering with the ongoing march of business-led IT strategies.
Conclusion
0ktapus demonstrates the effectiveness of threat actors to compromise SaaS with global-scale attacks and persist within the SaaS attack surface—expanding conquest via Okta SWA credentials. Second, 0ktapus shows how attacker psychology works by mimicking a security best practice to shamelessly fool users to handing over Okta credentials. Lastly, 0ktapus shines a light on the need for historic discovery—users with dangling access, abandoned SaaS services, zombie accounts, including SaaS use, misuse, and abuse.
As of September 2022, threat research suggests over 14,000 organizations are targets of the 0ktapus campaign, leading many organizations without clear awareness of their SaaS attack surface.
If your organization is a target of 0ktapus, Grip is offering a free SaaS Risk Assessment—discovering and identifying SaaS attack surface risks (past and present) and one-click secure access and offboarding to rapidly mitigate SaaS threats.
Gain a complete view of your SaaS usage—including shadow SaaS and rogue cloud accounts—from an identity-centric viewpoint. See how Grip can improve the security of your enterprise.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Text for webinars more technical details on how you can get a Grip on your SaaS Security.