My Thoughts on Øktapus Attacks

My Thoughts on 0ktapus Attacks

Here goes...

What we know so far:

• This is a large scale phishing attack
• Primary method is MFA bypass of SMS codes using a proxy
• The Identity solution used at the victims is Okta  
• About 10,000 employee accounts compromised across ~130 mostly US based companies

*These numbers come from Group-IB who did the research. 

How the attack works:

The hackers seemingly took the data they acquired from the Twilio breach that may have contained Okta login landing page links and phone numbers that can be used to send phishing SMS messages. However, the Okta login pages for organizations are easy to enumerate through. The URL is typically <org_name>.okta.com or something very similar. The hackers then created malicious domains such has <org_name>-mfa.com and sent those links via email or SMS to the potential victims. This entire process is easy to automate and can be automatically done by phishing tools like Modlishka and Evilginx2. 

When the victim clicks the link in the SMS or email, they are taken to a typical Okta login page that they are familiar with. However, that page is fake and so when they type in their credentials, they are going straight to the hackers. This includes OTP codes that are sent via SMS or in their Okta verify app. 

The hacker will then take these credentials and put them into the real Okta login page and get access to the employees corporate account. They will then pivot across the organization by accessing various apps. They can access other employee data as well as PII and IP that may be critical to the business. This is what may have happened to LastPass with their recent breach where product source code was stolen. 

My Thoughts on This Attack:

Hackers are smart and they look for the path of least resistance to get into companies and cause damage. The fact is that the rapid expansion of automated phishing tools has made these types of attacks much easier than ever. The necessity for phishing resistant authentication is becoming more obvious than ever. This is why the OMB guidance on zero trust and the strategies supported by CISA all talk about the movement away from SMS and OTP codes as a 2nd factor. 

Many of the legacy MFA technologies have some support for phishing resistant technologies. However, they are not in a place from a technology perspective where they can realistically enforce phishing resistant methods. As a result, they still enable SMS and other insecure methods which ends up in phished accounts. 

The fact is that as long as your MFA provider has an easily punishable fallback as an authentication factor, that’s the highest level of assurance that can be provided to your organization. 

Advice for Businesses:

1. Disable SMS as an MFA factor. Yes this sucks because you will have employees that don’t want to download an app on their phone. Give those users an alternative such as a hardware token that supports FIDO2 authentication. 

2. Move to a phishing resistant mobile MFA app. This does not include Okta Verify, Duo Mobile, Microsoft Authenticator, Google Authenticator, or anything else that provides a OTP capability. This is self-serving, but the HYPR Mobile app is phishing resistant and doesn’t offer punishable factors as a fallback.

3. Do a retrospective on access controls within your identity provider. Make sure that your employees only have access to the apps they need to have access to. This particularly applies to anything that has PII or IP that the hackers could go after. 

---