Security researchers say the recent phishing which saw communications provider Twilio compromised, and reverse proxy Cloudflare attacked, are part of a much larger campaign targeting mainly Okta customers in the United States.
According to Group-IB's researchers, ten unnamed organisations in Australia and one in New Zealand were compromised in the phishing campaign.
Group-IB said it has discovered that the phishing campaign, which it named 0ktapus, was very extensive, with 9931 user credentials at more than 130 organisations being hacked.
The security vendor said its threat intelligence team further unveiled the attackers phishing infrastructure, the kit used, and the Telegram messaging group controlled by the threat actors and which shared hacked information through a bot.
Group-IB researchers found 3129 email records and 5441 records with multi-factor authentication codes in the data related to the 0ktapus campaign it was able to intercept.
Due to Twilio being hacked, messaging app Signal, which uses the communications provider for phone number authentication, saw three of its users having their accounts re-registered to attacker devices.
Vice journalist Lorenzo Franceschi-Bicchierai was one of the victims, and Signal estimated that up to 1900 users were put at risk of having their accounts re-registered.
For the 0ktapus campaign, the attackers set up 169 phishing domains which used terms like SSO, VPN, OKTA, MFA and HELP to make them look like legitimate sites to victims, Group-IB said.
Other domains did not use key terms like the above, or different ones, in the malicious SMS text messages sent by the attackers, Group-B said.
Since the attackers used a new shared phishing kit that one of the threat actors had scanned on Google's VirusTotal service, to make sure that it did not contain malware, Group-IB was able to obtain a copy of it.
The Singapore-based security company was able to capture information on one of the attackers, who was an administrator of the abovementioned Telegram channel, which led them to the person's Twitter account.
Via the Twitter account, Group-IB was able to find the attackers name, Github page, and possible location in North Carolina, the United States.
IT service providers, software developers and cloud companies accounted for most of the hackers' targets.
Group-IB said it has notified all the organisations targeted by the 0ktapus hackers, but two-thirds of the intercepted data did not contain corporate email addresses, only user names and two-factor authentication codes.
