IAM house Okta confirms 0ktapus/Scatter Swine attack

Identity and access management specialist Okta has warned customers to be on their guard against a widespread and impactful phishing campaign that has already hit a very limited number of its customers.

This comes after researchers at Group-IB gathered evidence that tied together multiple recent incidents, including an attack on Twilio, in a criminal campaign that seems to have heavily exploited the Okta brand, and the trust its customers hold in it, in order to compromise its targets.

The campaign, which Okta has dubbed Scatter Swine – Group-IB coined a different name, 0ktapus – found that the data of some Okta customers was accessible to the threat actor through Twilio’s systems.

Okta’s defensive cyber ops team determined that a small number of mobile phone numbers and associated SMS messages containing one-time passcodes were accessible to the threat actor via the Twilio console.

“Okta has notified any customers where a phone number was visible in the console at the time the console was accessed,” said a company spokesperson. “There are no actions necessary for customers at this time.”

Okta’s own investigation found that the events of the incident unfolded as follows. On 7 August 2022, Twilio had disclosed that customer accounts and internal apps were accessed in attacks resulting from a successful phish. It notified Okta that unspecified data relevant to its customers was accessed during this incident on 8 August.

At that point, Okta rerouted SMS-based communications to an alternative provider so that it could have clear space to investigate alongside Twilio, which provided data such as internal systems logs that could be used to correlate and identify the extent of the activity relating to its users.

This activity, as detailed above, affected 38 unique phone numbers, nearly all of which can be linked to a single unnamed organisation. Okta said it appeared that the threat actor was attempting to expand its access to that organisation. It had previously used usernames and passwords stolen in phishing campaigns to trigger SMS-based multifactor authentication challenges at its target and used its access to Twilio’s systems to weed out the one-time passcodes sent in these challenges.

Subsequently, Okta has been engaged in threat hunting across its platform logs and has found evidence that the threat actor also tested this technique against a single account unrelated to its main target, but performed no other actions. There is no evidence that it successfully used the technique to expand the scope of its access beyond the primary target.

Okta said 0ktapus/Scatter Swine has directly targeted Okta in the past, but has been unable to access accounts because of its in-house security.

The group uses infrastructure provided by the crypto-friendly Bitlaunch provider, providing servers from DigitalOcean, Vultr and Linode. Its preferred domain name registrars are Namecheap and Porkbun, both of which take bitcoin payments.

It initially harvests phone numbers from data aggregation services that link phone numbers to employees – Group-IB presented evidence that it may have hacked into some comms providers to get this data – and sends bulk phishing lures to multiple employees at its targets and even, in some cases, their family members. It has been known to follow up with phone calls pretending to be a tech support agent, and in these calls its operators apparently speak fluent North American-accented English.

If it successfully obtains user credentials from its phishing campaign, it then attempts to authenticate using an anonymised proxy. In this campaign, it favoured the Mullvad (Mole) VPN service, an open source, commercial service based out of Sweden.

Its phishing kit is designed to capture usernames, passwords and one-time passcode factors, and it has been known to trigger multiple push notifications in a further attempt to trick targets into allowing access to their accounts.

It has registered multiple domain names in common formats to further trick targets into entering their credentials on its phishing sites. In the case of Okta customers, these have generally taken the form of [target company]-okta.com, .net, .org or .us, although other domains have also been used.

More information on 0ktapus/Scatter Swine’s tactics, techniques and procedures is available from Okta, which is also advising its customers to adopt a defence-in-depth strategy to best protect themselves from this, or similar attacks.