Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Hackers Behind Twilio Breach Also Targeted Cloudflare Employees

Web infrastructure company Cloudflare on Tuesday disclosed at least 76 employees and their family members received text messages on their personal and work phones bearing similar characteristics as that of the sophisticated phishing attack against Twilio.

The attack, which transpired around the same time Twilio was targeted, came from four phone numbers associated with T-Mobile-issued SIM cards and was ultimately unsuccessful.

The text messages pointed to a seemingly legitimate domain containing the keywords “Cloudflare” and “Okta” in an attempt to deceive the employees into handing over their credentials.

The wave of over 100 smishing messages commenced less than 40 minutes after the rogue domain was registered via Porkbun, the company noted, adding the phishing page was designed to relay the credentials entered by unsuspecting users to the attacker via Telegram in real-time.

This also meant that the attack could defeat 2FA roadblocks, as the Time-based One Time Password (TOTP) codes inputted on the fake landing page were transmitted in an analogous manner, enabling the adversary to sign-in with the stolen passwords and TOTPs.

Cloudflare said three of its employees fell for the phishing scheme, but noted that it was able to prevent its internal systems from being breached through the use of FIDO2-compliant physical security keys required to access its applications.

“Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems,” Cloudflare said.

“While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.”

What’s more, the attacks didn’t just stop at stealing the credentials and TOTP codes. Should an employee get past the login step, the phishing page was engineered to automatically download AnyDesk’s remote access software, which, if installed, could be used to commandeer the victim’s system.

Besides working with DigitalOcean to shut down the attacker’s server, the company also said it reset the credentials of the impacted employees and that it’s tightening up its access implementation to prevent any logins from unknown VPNs, residential proxies, and infrastructure providers.

The development comes days after Twilio said unknown hackers succeeded in phishing the credentials of an undisclosed number of employees and gained unauthorized access to the company’s internal systems, using it to get hold of customer accounts.

Found this article interesting? Follow THN on Facebook, Twitter ď‚™ and LinkedIn to read more exclusive content we post.

Related News

Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire

Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire

German politicians and political parties have been using data about Facebook users’ political preferences to deliver microtargeted advertisements, a watchdog…
Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

Companies in every industry continue to leave backup and storage platforms unsecured, with more than a dozen issues, including insecure network…
The Board of Directors Will See You Now

The Board of Directors Will See You Now

For more than 15 years, the cybersecurity industry has been talking about communicating with the board of directors. It’s common…