Customers of the identity and access management firm Okta log in using one-time passwords (OTPs) supplied through SMS.
Temporary codes sent through SMS over Twilio are one of the several methods of service authentication offered by Okta to its clients. The threat actor responsible for the Twilio attack abused this method to obtain OTPs. The threat actor might view Okta customers’ mobile phone numbers and OTPs if they had access to the Twilio interface.
The cloud communications provider Twilio found on August 4 that unauthorized access had been made to its networks and client data. Twilio at the time, offered one of the services Okta used for consumers choosing SMS as an authentication option. After learning that “unspecified data relevant to Okta” had been exposed by the Twilio breach on August 8, Okta began to direct SMS-based communication through a new provider.
Using internal system logs from Twilio’s security team, Okta could ascertain that the threat actor had exposure to phone numbers and OTP codes relating to its customers. According to the company, an OTP code expires after five minutes. Okta distinguishes between “targeted” and “incidental disclosure” of phone numbers when it comes to the threat actor’s behavior in the Twilio interface involving its clients.
The company claims that the attacker looked up 38 phone numbers, most of which were connected to a single company, indicating a desire to penetrate that client’s network. The threat actor used the administrative portals of Twilio, which displayed the 50 most recent messages sent using Okta’s Twilio account, to search for the 38 Okta-related phone numbers. This implies that more phone numbers might be visible to hackers. Okta’s research showed that the hacker did not use these cell numbers.
The threat actor was given the name Scatter Swine because Okta watched it use various phishing attempts to target different technological businesses over the previous few months. The phishing effort known as “0ktapus” was carried out by the same adversary, Scatter Swine, and was given that moniker since its objective was to steal two-factor authentication (2FA) tokens and Okta identification credentials. By sending personnel of the targeted firms an SMS with a link to a phishing site mimicking an Okta authentication page for the victim company, the actor has stolen nearly 1,000 logins to get access to corporate networks.
Okta claims that Scatter Swine/0ktapus employs commercial data gathering services to compile the mobile phone numbers of people associated with cryptocurrency, telecom businesses, and technology company workers. In a typical Oktapus attack, a link to a phishing website that requests corporate credentials and 2FA codes is sent to a prospective employee through SMS. All of the information is sent to a Telegram account, which leads Group-IB to a person they believe to be from North Carolina, United States, who also has a Twitter and GitHub account.
In their latest report, Okta states that in addition to sending hundreds of SMS phishing messages in bulk, Scatter Swine also contacted the targeted workers (and even their family members) to inform them about the company’s authentication procedure while posing as assistance.
It is difficult to defend against complex social engineering assaults that target 2FA codes. The primary advice is to pay close attention to warning signs of dubious communications and phishing websites. Security professionals advise employing a security key (U2F) that complies with FIDO. Establishing authentication policies that limit user access based on requirements unique to the client and notifications when a user’s sign-in procedure deviates from a previously observed pattern might also be used to spot a fraudulent attempt.
Okta also suggests the following:
- Use Network Zones to refuse or apply step-up authentication on requests from infrequently used networks and anonymizing proxies.
- Limit access to applications to only those devices that are registered or those that are under endpoint management tools’ control.
- Employ application-specific authentication policies to impose access restrictions on the most sensitive apps and data.
Okta has made a system log query available to clients that wish to check for Scatter Swine SMS events (such as authentication challenges, password resets, or factor enrollment events), which discloses new devices and network locations for a particular user. Additionally, Okta’s report offers more precise searches that let users determine whether the messages originated from Twilio.