A new ransomware gang has started to make a name for itself over the past several months by targeting organizations’ Okta accounts to gain access to other critical applications. The aptly named Oktapus attack has used highly targeted spearphishing campaigns to steal multi-factor authentication (MFA) credentials at more than 100 organizations around the world. Two recent high-profile attacks at Twilio and DoorDash compromised customer data, including personally identifiable information (PII) of thousands of people.
What’s frustrating is that the attacks were easily identified by security experts at targeted organizations, but the speed at which the gang was able to act after the initial breach and extract valuable data made them almost impossible to stop – showing why focusing solely on detection and remediation continues to put enterprises at great risk.
Taking a preventative approach to security – which emphasizes eliminating initial access – can protect organizations against the surge in successful ransomware attacks, in addition to other malware that can take control of critical business systems and exfiltrate valuable data. But with expanding threat surfaces and the tools that protect organizations – such as the MFA tool Okta – under attack, what can enterprises do?
Anatomy of the attack
According to a report from cyberintelligence research team Group IB, the attacks used low-skill methods to compromise targeted Okta accounts and were able to move quickly in near real time to target subsequent systems and applications and exfiltrate critical customer data.
Attacks were launched against Okta customers by sending a text message or an email to users that contained a link to a fraudulent Okta authentication page. Victims were prompted to enter their username and password into a web form and were then asked for their 2FA code. The attackers had to act quickly, before unique codes or push notifications expired — often within two minutes — meaning that they were likely monitoring their tools in real time so they could use the credentials as soon as they were compromised.
Oktapus relied on the element of surprise and speed to compromise victims rather than leveraging the highly sophisticated evasion techniques we typically see in today’s Highly Evasive Adaptive Threats (HEAT). And this attack should alert enterprises that continue to rely on a detection-only approach to cybersecurity. It didn’t matter that security tools were able to quickly detect the fraudulent domains, many of which used the same images, fonts, and scripts. Oktapus was faster, working in near real time to deliver its payload and extract data. By the time the threat was detected, it was simply too late and the damage was done. Even if a fraudulent sign-in page was detected and blacklisted, the ransomware gang was able to quickly spin up another domain and continue to target other individuals in the organization. No amount of blacklisting, URL filtering, or phishing training could stop the attacks in time.
Preventing initial access
Only enterprises that were able to prevent initial access were able to escape the long tentacles of Oktapus. Rather than waiting to detect and blacklist fraudulent domains, isolation technology creates a virtual air gap between users and the rest of the Internet, prohibiting them from entering their credentials. Isolation assumes that all known and unknown content is malicious, thus eliminating the need to make an allow or block decision at the point of click. Stopping this initial access shuts off any hope the attackers had of infiltrating the network and extracting data – effectively protecting enterprises.
As attacks continue to play out in real time, it’s becoming increasingly clear that taking a detect-and-respond approach to cybersecurity will not provide the level of protection enterprises need to stop today’s increasingly innovative malicious actors. No matter how smart your tools are or how comprehensive your threat intelligence is, they will never be enough. Attackers will always remain one step ahead. Preventing initial access through isolation technology is the only way to stop ransomware and other malware attacks in their tracks.