Partner News

0ctapus: A Sophisticated Phishing Campaign

Phishing attacks are nothing new. This type of social engineering has, in fact, been around since the rise of the Internet – targeting unsuspected victims with legitimate-looking emails and texts engineered to steal their credentials and access valuable enterprise resources.  Thus 0ctapus: A Sophisticated Phishing Campaign.

Just a few months ago, we saw a new, successful attack campaign. Employees of various industries, such as software, BI, telecom, and financial services, received a message linking to a phishing site that mimicked the Okta authentication page. Before anyone could notice, thousands of user accounts had been hacked. So, what exactly is 0ktapus, and how can your organization prevent falling victim to phishing attacks such as this?

What is 0ktapus?

We don’t know who’s behind 0ktapus (other than a Twitter account adopting the name “X”), but we now understand how the attackers managed to steal Okta identity credentials and Two-Factor Authentication codes from over 130 organizations. 

The raid was well-planned and executed; the cybercriminals sent text messages to various employees, prompting them to click on a link. The only problem was that the page didn’t belong to IAM leader Okta but was a phishing site that mimicked its authentication. As soon as victims entered their credentials, providing their 2FA codes, the site sent the compromised data to Telegram. From there, those behind 0ktapus were able to easily exfiltrate sensitive and private information. 

The 0ktapus campaign is a prime example of a malicious social engineering effort – one with which we’ve become familiar. All the attackers needed to do was to create a fake page and trick employees into using it. Unfortunately, this is a common threat that all companies should be aware of. 

How 0ktapus Worked

It’s believed that the 0ktapus campaign was able to target 169 unique domains in multiple industries. Most of them were located in the United States and Canada, where the attackers were able to fulfill their ultimate goal of gaining access to corporate services.

If we look at the phishing site the cybercriminals used, we can quickly see why so many employees were tricked into providing their username and password (there were actually two pages on the site; the first to gather login details, and the second to ask for the 2FA code). The website genuinely looked like an Okta authentication page. 

This phishing site, however, was static. Attackers could not interact with their victims in real-time, but by sending the codes to Telegram, they were able to quickly access the compromised data themselves. The 0ktapus threat actors were probably using these credentials as soon as they received them. 

The data analysis sheds some light on the potential impact of this phishing campaign. Most of the companies 0ktapus targeted were providing IT, cloud, and software development services. The first goal was, likely, to access private data, internal documents, and corporate email from them. However, there was a second motivation; because several compromised businesses were in the financial sector, it’s suspected the fraudsters were also trying to access investment tools and crypto assets, too.

Why a Phishing Attack?

The goal of this phishing attack was, as we mentioned, to access data, steal money, and see private conversations. In many cases, attackers then use this information as business intelligence, asking the victims for a ransom or simply reselling it to competitors.

Phishing emails and text messages can reach millions of users directly, so any company (no matter its size) can be the target of such a mass campaign. In a lot of cases, these attacks are not designed with a specific company in mind but rather try to collect as many passwords or private data as possible. However, something that begins as a generalized phishing attempt can result in a targeted attack later (something usually referred to as “spear phishing”).

These kinds of exploits can be hard to identify by users, as the emails and messages can look authentic. Many phishing attacks also use complex social engineering, where people can be psychologically compelled to perform actions such as opening attachments and clicking on links, especially when a sense of urgency typically accompanies them. Many phishing attacks then develop into ransomware situations, where cybercriminals lock files away and refuse to provide company access until they make a large payment. Unfortunately, this type of strike is as dangerous as it is common.  

Phishing remains a method of choice to infect computers all around the world. Corporate employees, in particular, are vulnerable because they can be an entry into sensitive data. So, what can your business do to prevent the damage that something like 0ktapus can cause them?

Preventing Threats: Best Ransomware Backup Strategies

Maintaining your organization secure requires constant vigilance, so the best way to thwart phishing attacks is to use a multilevel approach. 

The first layer is to ensure you train your employees so they can identify threats as soon as they see them. The second is to make it more difficult for cyber-criminals to reach your users and your organization. And the last, to be able to respond quickly to any incidents.

There are many ways in which you can protect your backup servers in the case of a ransomware attack. For instance:

  • Use unique credentials for each backup storage.
  • Use offline storage as part of your backup and recovery strategy.
  • Beware of using storage snapshots as your only backup strategy.
  • Create multiple backup copies to help mitigate potential risks.
  • Always use the 3-2-1-1 rule (have three distinct copies of your data. Store two in different media and make one of these offline).
  • Use an enterprise-grade solution instead of many different file systems.

Bacula Enterprise is a backup and recovery solution that can help protect your organization’s data. The company uses the best practices listed above, ensuring all customers are covered by a robust, highly-secure, and modern backup and recovery solution. Bacula Enterprise is an especially secure and robust backup solution – which is critical from the perspective that backup and recovery is the least bastion of defense for any organization’s business continuity strategy; secure backup is often the difference in a company’s survival – or not – in the event of a cyber attack that seeks to deny an organization of its own business systems. Bacula also offers a unique licensing model that can help you keep costs down; you don’t need to pay for license fees or data volume. Download your free 30-day trial and explore all of the platform’s functionality today.