The Hunter Became The Hunted- Cloudflare Targeted By A Sophisticated Phishing Attack
Around the same time as a phishing attack targeted Twilio, Cloudflare saw a similar attempt to fool the company’s employees.
Cloudflare said individual employees fell for it.
Cloudflare asserts this was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached.
On July 20, over less than 1 minute, at least 76 employees received text messages on their personal and work phones. Even some employees’ family members were targeted.
Intricate Use Of Deception
Alert!! Your Cloudflare schedule has been updated, Please tap Cloudflare-okta.com [malicious link] to view your changes, the text messages received by employees read.
Cloudflare hasn’t yet determined how the attacker assembled the list of employees’ phone numbers but reviewed access logs and found no sign of compromise.
Phishing messages came from four phone numbers associated with T-Mobile-issued SIM cards and pointed to an official-looking phishing domain registered less than 40 minutes before the phishing campaign began.
Cloudflare uses Okta as its identity provider. The phishing page was designed to look identical to a legitimate Okta login page and prompted visitors to enter their username and password.
Failed Attempts Attack
We confirmed that three Cloudflare employees fell for the phishing message and entered their credentials.
Every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey.
Cloudflare stated Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems.
While the assailant strived to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.
Twilio data infringement
Phishers fooled some Twilio employees into providing their credentials and then used them to gain access to the company’s internal systems.
Twilio said, More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department.
Conventional text bodies indicated that the employee’s passwords had expired, that their schedule had changed, and that they needed to log in to a URL the attacker controls.
The text messages originated from US carrier networks. We worked with the US carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down.