Sep 6, 2022
Sep 6, 2022
0ktapus demonstrates the effectiveness of threat actors to compromise SaaS with global-scale attacks and persist within the SaaS attack surface—expanding conquest via Okta SWA credentials.
On August 25, 2022, threat intelligence researchers from Group-IB attributed a recent SaaS attack campaign, codenamed 0ktapus. The 0ktapus campaign has been implicated in highly publicized SaaS breaches, such as those reported by Twilio and Cloudflare. Group-IB reported observations of several well-known organizations targeted in this massive phishing campaign, including Signal—the end-to-end encrypted messaging service.
The attackers have a clear objective: get Okta identity credentials and multifactor authentication (MFA) codes from targeted organizations, thereby giving threat actors entrée to the victim’s global SaaS attack surface. With Okta credentials and MFA codes in hand, an attacker has access to all the enterprise resources Okta is authorized to access—Salesforce, Workday, Microsoft 365, Google Workspace, AWS, NetSuite and thousands of others via stolen Okta Secure Web Access (SWA) credentials.
Worldwide, over 14,000 organizations utilize Okta for identity and access management (IAM). We can confidently say that these organizations (and their SaaS attack surfaces) are entangled in a global-scale attack—not based on industry, company size, tax status, geolocation, or other business-defining attributes. No, they are being targeted based on their technology and user profiles.
When asked why he robbed banks, Willie Sutton answered: Because that’s where the money is. In the race to gain malicious access, an identity provider is the biggest bank of them all.
According to Group-IB, 0ktapus targets organizations using Okta identity for services like single sign-on (SSO), multifactor authentication (MFA/2FA), cloud directory services, and customer identity management. So why would a threat campaign be so effective against Okta identity customers?
First, 0ktapus is an example of a global-scale attack, where a specific technology attribute in the organization’s profile is the basis of the campaign—just like the global-scale attacks against cloud infrastructure in 2021 compromising Microsoft Exchange and SolarWinds. Organizations are not being targeted for who they are, but for what tech they have.
Second, 0ktapus is an example of an opportunistic attack, where threat actors compromise a concentrated hub with access to previously unknown environments, creating opportunity for persistence and escalated access within the SaaS attack surface. This is like threat actors embedding a payload within a patch or software update, thereby spreading to new environments (and organizations) previously unknown and inaccessible to the threat actor (e.g., SolarWinds SUNBURST).
Third, 0ktapus is an example of the sharing economy in cybercrime, where threat actors distribute intelligence, techniques, infrastructure, aid, and quasi-tech support for easily available tools and target profiles. End-to-end encryption platforms and apps, like Telegram and Signal, along with unsanctioned infrastructure like Bulletproof Hosting, are used like convention expos and bazaars for enabling criminal exchanges.
For a moment, try to see it from the attacker’s perspective—you have technical profiles for organizations using a concentrated hub (Okta), you know disguising the attack within an update or security best practice gets more clicks, and you can lease your access or sell it outright to a worldwide network of unscrupulous buyers outside the reach of authorities with total anonymity. And who knows? Once you get inside, you can spread throughout the SaaS attack surface, including harvesting credentials for the thousands of apps authenticating with simple username and password using Okta SWA.
Now can you see it? The opportunity is irresistible. And opportunistic, global-scale attacks have happened before, but a couple layers below SaaS, namely cloud infrastructure (IaaS) and platforms (PaaS). What makes 0ktapus significant is how it targets identity and access management, itself—along with each organization’s SaaS estate now under threat.
“Once the attackers compromised an organization, they were quickly able to pivot and launch subsequent [SaaS] attacks, indicating that the attack was planned carefully in advance.” Group-IB, August 2022
As reported by Twilio and Cloudflare, attackers are targeting employees at thousands of companies who are customers of IAM leader Okta. Employees receive a text message, disguised with keywords and common SMS format structures, with links to phishing sites posing as the Okta authentication page of their organization.
As of August 25, 2022, at least 169 unique domains were involved with the 0ktapus campaign, according to Group-IB researchers. In the case of 0ktapus, researchers discovered the same phishing kits with the same image used throughout other malicious infrastructure. Using the hash value of the image, it is possible to retrieve a unique list of related domains operating the same phishing kits—thereby fingerprinting adversary-threat infrastructure with high confidence as 0ktapus.
There is an 8-part sequence of the 0ktapus phishing campaign and a clear objective to gain access to corporate services via Okta identity. Once the initial compromise is successful, the attacker can persist within the SaaS attack surface with authorized access via Okta credentials. Additionally, threat actors can move within the SaaS supply chain to disrupt, deny, degrade, and destroy SaaS critical to the operation of targeted companies.
In the case of Signal, a well-known victim of the 0ktapus campaign, its compromise stemmed from an 0ktapus target upstream in the SaaS supply chain, Twilio. Twilio, who provides phone number verification services, notified Signal that Twilio had suffered a phishing attack via fraudulent SMS messages. According to Signal, the investigation uncovered a window of opportunity for the attack and the techniques we covered above.
As of August 2022, more than 130 organizations were compromised via Twilio’s initial compromise by the 0ktapus campaign. The majority of 0ktapus victims have been technology providers with significant interconnectedness and dependency with thousands of other technologies and SaaS services.
To-date, roughly 10,000 user credentials have been stolen or compromised, including duplicate passwords used for hundreds of SaaS services per user. Additionally, more than 5,000 MFA codes were compromised by 0ktapus and 136 unique email domains—paired to Okta identity—have been compromised.
Aside from the technologies and infrastructure compromised, Group-IB reported analysis on 0ktapus activity since March 2022 and found that most targeted companies are in the USA, and non-US companies with US-based employees.
Because more than 65 percent of forensic data did not include a corporate email—only usernames and MFA codes could be deduced—most companies and their security teams simply do not know if or when 0ktapus may have breached their SaaS attack surface.
While it is uncertain how 0ktapus obtained phone numbers to launch their global-scale smishing campaign, there are traces of 0ktapus’s fingerprints (i.e., kits, tools, infrastructure) in connection to mobile and telecommunications companies attacks in 2022. Researchers suggest these attacks exposed and compromised phone numbers—along with logs available from SaaS-based integrated telecom providers, like Twilio and Cloudflare. According to Group-IB, “Chances are, some phone numbers may have been obtained from those initial attacks”.
Not all 136 0ktapus victims can be identified, but of those Okta customers compromised, most were IT service providers, software firms, and cloud service providers—enough to create systemic SaaS risk with these technologies and services providing a channel to compromise the full SaaS estate in a global-scale attack.
And recent disclosures give us some indication of the motivations and goals behind 0ktapus.
Whether these sophisticated attacks were planned-as-executed from start to finish is unknown. However, what is clear from the evidence so far, 0ktapus has had outsized success beyond the initial smishing tactics and techniques, enabling 0ktapus to infiltrate user-SaaS relationships and exploit victims by disguising malicious intent with security best practices—like when a user is prompted to reset 2FA only hours after a reminder from their security team to take 2FA seriously.
Regardless of how much of the attack was planned in advance, it is clear that the 0ktapus campaign has been effective and the full scale of 0ktapus’s attacks may not be known for months or years.
What does all this mean for security teams? For starters, it is now clear that 0ktapus knows more about the SaaS attack surface than their victims. Furthermore, 0ktapus has uncovered some of the evolving opportunism we see from threat actors, namely, identifying and targeting organizations based on technologies they use and provide to others, without as much consideration for industries or other features like size or location of the company being targeted.
So, for companies using Okta for identity and access management, that is the only thing you need to become a target of the 0ktapus campaign. Once successful, threat actors can compromise the global SaaS attack surface—whether through fraudulent authorization to Okta for SSO/SAML access to corporate resources or by exfiltrating credentials from Okta SWA.
In the wake of the 0ktapus attack on Twilio, Grip Security advised customers to protect against these potential attacks in three steps:
Ultimately, the goal for every security leader and team is to produce secure outcomes for the organization. While it may be challenging to curtail risk in user-SaaS relationships managed by business groups, it can be realized without interfering with the ongoing march of business-led IT strategies.
0ktapus demonstrates the effectiveness of threat actors to compromise SaaS with global-scale attacks and persist within the SaaS attack surface—expanding conquest via Okta SWA credentials. Second, 0ktapus shows how attacker psychology works by mimicking a security best practice to shamelessly fool users to handing over Okta credentials. Lastly, 0ktapus shines a light on the need for historic discovery—users with dangling access, abandoned SaaS services, zombie accounts, including SaaS use, misuse, and abuse.
As of September 2022, threat research suggests over 14,000 organizations are targets of the 0ktapus campaign, leading many organizations without clear awareness of their SaaS attack surface.
If your organization is a target of 0ktapus, Grip is offering a free SaaS Risk Assessment—discovering and identifying SaaS attack surface risks (past and present) and one-click secure access and offboarding to rapidly mitigate SaaS threats.
Join our LinkedIn Live event on SaaS Security for Modern Work
Get a free Grip SaaS Risk Assessment
Request a consultation and receive more information about how you can gain visibility to shadow IT and control access to these apps.
Fill out the form and we’ll send you our Datasheet.
Give us a test drive.
Fill out the form and we’ll get in touch with you.
Fill out the form and watch webinar's video.
