In a blog post, Cloudflare revealed that the threat actor also attacked other companies, including Twilio. Earlier this week, Twilio announced it had suffered a data breach that affected a “limited number” of accounts. While the attacker successfully breached Twilio’s systems, Cloudflare said its Cloudflare One products and its use of FIDO2-compliant hardware security keys prevented the hacker from accessing its databases.
Advanced SMS Phishing Campaign
The Cloudflare security team received reports of the attack on July 20. The attacker sent “legitimate-looking” SMS messages to Cloudflare employees and their relatives, directing them to a phishing page disguised to look like the Cloudflare Okta login page. When they clicked the link, a login page identical to Okla’s opened, and the employees were promoted to provide their credentials. Cloudflare said three employees fell for the phishing scam and entered their login details. However, since it uses physical security keys, the threat actor could not complete the login process and access its systems. Cloudflare’s investigations reveal that the phishing messages came from four US phone numbers associated with T-Mobile SIM cards. The company also discovered that the fake Okla login page was hosted on DigitalOcean’s cloud systems, and the hacker registered the domain associated with the page with Porkbun less than 40 minutes before the attack. Since the copycat domain was newly registered, Cloudflare said its domain hijacking tool didn’t detect and shut it down. Following this attack, Cloudflare is fine-tuning its systems to “restrict or sandbox” domains registered within 24 hours.
Real-Time Attack
What distinguishes this phishing attack from others is that stolen data was relayed in real-time. “When the phishing page was completed by a victim, the credentials were immediately relayed to the attacker via the messaging service Telegram,” Cloudflare researchers explained. This way, the attacker could receive Time-sensitive One Time Password (TOTP) codes from victims, which would allow them to bypass the defenses of two-factor authentication (2FA), and possibly compromise an entire organization. The attacker was not only after access to the databases of companies. Cloudflare explained that after getting the login credentials and OTP codes from victims, the phishing page downloaded a payload on their device. The payload includes AnyDesk, a remote access software that would allow the hacker to control the victim’s device. Cybercriminals usually employ powerful RATs (remote access trojans) to facilitate this. Cloudflare said it found no obvious signs that its systems have been compromised. The company has blocked the phishing domains, audited its service access logs, and updated its threat detection systems with “additional signals” to identify this hacker. Cloudflare said it also reset the compromised credentials and is scanning the devices of employees who fell for the phishing scam. At this time, it is unclear how the hacker got the phone numbers of Cloudflare employees and their relatives to target them.
Phishing Remains a Major Threat
Phishing and its various forms, such as Business Email Compromise (BEC), remain a major threat to organizations. This year, we’ve reported on numerous phishing attacks, including one that exposed the data of up to 50,000 Spirit Super members. “This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached …” Cloudflare said. The company has reached out to other organizations to share information about the attack. If you encounter similar attacks, you can reach out to the Cloudflare security team via cloudforceone-irhelp@cloudflare.com. To learn more about phishing and how to protect yourself from such attacks, check out our guide to phishing.