Eyes on 0ktapus: Gaining access through MFA

Multi-factor authentication (MFA) is widely promoted as an important, effective practice for cybersecurity. It requires users to identify themselves in at least two distinct steps – protecting against the impact of username and password theft.

Recent attacks have reminded organisations that while MFA is useful, it’s not infallible. And with more and more organisations and users implementing MFA, threat actors are exploring ways to use MFA itself to gain initial access.

How can MFA become a vulnerability?

A threat group called 0ktapus gained its tentacled name in 2022 – with a far-reaching phishing campaign that affected more than 130 companies, as reported by Threat Post.

In a blog post by threat intelligence firm Group-IB, researchers explained the data they analysed suggests that the threat actors initially targeted telecoms companies in order to gain access to targets’ phone numbers.

They then sent text messages containing phishing links to the targets – leading to landing pages that mimic the Okta authentication page, used by the targets’ employers. And there, the threat group recorded credentials and MFA codes entered by targets.

But Group-IBM’s researchers were clear that after this initial access, the attackers planned to move on to a second phase: using company systems or mailing lists to enact supply chain attacks.

In early 2023, a leaked report showed that 0ktapus was back – this time targeting tech and gaming companies.

MFA hacks can have a huge impact

Via targeted attacks against employees at Cloudflare, Inc. (a US-based content delivery network firm) and Twilio (a US communications provider), over 130 organisations were affected in the 2022 0ktapus attacks – including 114 firms in the US, and another 68 across other countries. Authentication services provided by identity management company Okta, which is used by more than 16,000 companies worldwide, were a key step in the attackers’ strategy.

So organisations must monitor MFA effectiveness

There’s an important education piece here for organisations and users. Like any security process, it’s crucial that organisations don’t simply implement the tech, and then leave it to do its work. It has to be monitored.

And users need to be educated about how MFA could be used in phishing attacks, and how to spot the signs that this could be happening – like receiving text messages or emails about login attempts or MFA codes that they didn’t request, or spotting unfamiliar locations in account activity.

It’s common practice now for organisations to teach users about password hygiene, and what makes a strong password. It needs to become common practice to do the same with MFA: users need to know that MFA can be compromised, how it might happen, and what it might look like.