Recent vishing attacks on Okta have compromised several organizations, exposing millions of personal information records.
Okta learned of the campaign after the hacking group ShinyHunters claimed responsibility for the voice phishing (vishing) attacks and listed numerous companies on a Tor data leak site.
ShinyHunters used custom phishing kits in Okta vishing attacks
Confirming the ongoing vishing attacks, Okta has warned its customers that threat actors were using custom phishing kits to intercept credentials and bypass multifactor authentication (MFA) challenges.
According to the company, the attackers present contextual screens that sync with the target’s authentication flow to increase the likelihood of success. They also control the authentication pages their victims see while providing instructions over the phone to bypass MFA.
“They can be adapted on the fly by callers to control what pages are presented in the user’s browser, in order to sync with the caller’s script and whatever legitimate MFA challenges the caller is presented with as they attempt to sign-in,” the company said.
Subsequently, the vishing toolkits have evolved to meet the attackers’ need for real-time interaction with their victims. However, to increase the likelihood of success, the attackers must conduct reconnaissance to identify their preferred targets, learn their names, commonly used apps, and IT support phone numbers.
Crunchbase breached in Okta vishing attacks
CrunchBase has confirmed a data breach after the ShinyHunters threat group claimed it stole more than 2 million records from the market intelligence company. The cybercrime gang also published 400 MB of the stolen files after ransom negotiations failed.
Leaked details included personal information and corporate documents, including signed business contracts. However, CrunchBase says its systems were unaffected, and its business systems continued to operate normally.
“There’s a dangerous habit in breach response where people ask what was exploited instead of how the attacker behaved,” said Mayank Kumar, Founding AI Engineer at DeepTempo. “In the Crunchbase incident, the most important detail isn’t which files were taken, it’s that the activity looked legitimate long enough to succeed.”
Meanwhile, ShinyHunters has listed other alleged victims, including streaming platform SoundCloud and investment platform Betterment.
On January 13, SoundCloud confirmed the data breach and warned its users, employees, and partners of ongoing cyber extortion attempts by cybercriminals.
However, the music sharing platform insists that no sensitive personal information was stolen during the attack. Nevertheless, the attackers accessed the victims’ email addresses, which the streaming platform claims were publicly available, and that only 20% of its users were affected.
Betterment also confirmed a social engineering attack, with the attackers targeting cryptocurrency owners and attempting to trick them into transferring funds.
According to the automated investing and financial planning platform, no customer accounts were compromised. However, the hackers accessed personal information, including names, dates of birth, physical addresses, and email addresses. ShinyHunters claims to have stolen 20 million records from the company.
In response, Betterment launched an investigation with third-party cyber forensics, terminated the threat actor’s access, alerted law enforcement authorities, and notified impacted individuals. The company also advised impacted users to be on the lookout for unsolicited communications impersonating the company, especially those requesting confidential information, such as account passwords.
ShinyHunters has previously conducted similar vishing attacks targeting Salesforce and compromised dozens of organizations, including Google.
Meanwhile, Okta recommended implementing phishing-resistant MFA systems in corporate environments to prevent organizations from falling victim to vishing attacks.
Companies should also implement network zones and access control lists to prevent threat actors from leveraging anonymization services to mask their malicious activities. Real-time caller checks can also prevent vishing attacks by verifying the caller’s identity.
