9,931 accounts at more than 130 organizations were compromised by a phishing attack on Twilio and Cloudflare employees. 114 US companies and other companies in 68 countries were impacted.
According to security researchers at Group-IB, the threat actors dubbed Oktapus had only one aim in compromising the identity and access management company Okta. To achieve their goal, the attackers launched their campaign by targeting telecommunications companies to gain access to the phone numbers of potential targets.
“According to the compromised data analyzed by Group-IB, the threat actors started their attacks by targeting mobile operators and telecommunications companies and could have collected the numbers from those initial attacks,” the researchers wrote.
The attackers then sent phishing links to targets via SMS. These links led the victims to websites that pretended to be the Okta authentication page used by the target’s employer. Afterwards, the victims were asked to provide Okta identity credentials in addition to an MFA multifactor code that the employees used to log into their accounts.
The sources for this piece include an article in ThreatPost.