A new report regarding the recent data breach on Twilio and Cloudflare has reached headlines after its threat actors were again associated with a wider phishing operation that targeted 136 firms worldwide, compromising over 9,900 accounts.
Based on reports, the threat actors behind the past data breach attacks on Twilio and Cloudflare schemed to steal Okta credentials and 2FA codes of the users from their targeted companies. This detail indicates that the employees that utilise Okta as their identity service provider were the initial targets of the hackers.
Like the Twilio data breach campaign, the attack on the new victimised companies involved targets receiving text alerts containing links, which redirected them to a phishing site that spoofed Okta’s authentication page.
Experts described the campaign to be interesting since, despite the low-skilled attack methods used, the operators were able to damage several organisations globally. They also added that upon hacking into the targeted system, the threat operators immediately launch subsequent supply chain attacks, which implies how carefully planned their operation was.
Most targeted organisations were from the US, while the rest came from India, Canada, Sweden, France, and Australia. The hackers have created about 169 phishing domains in this campaign. Moreover, the sectors affected by the campaign include software, telecommunications, finance, retail, business solutions, education, and logistics firms.
Once the hackers have harvested the credentials, such as email addresses and MFA codes, they forward it to a Telegram channel that acts as their C2 server. The researchers suspect that the unknown operators of the campaign are from North Carolina in the USA based on a discovered Twitter and GitHub account owned by one of the Telegram channel’s operators called ‘X.’
Cybersecurity researchers remain to monitor the campaign, as it is actively operating in the wild, and its full scope has not yet been discovered. Furthermore, they believe that one of the hackers’ motives in this campaign involved siphoning money aside from stealing critical information.