Hackers behind Twilio data breach also targeted Cloudflare employees

Cloudflare revealed that at least 76 employees and their family members were targeted by smishing attacks similar to the one that hit Twilio.

The content delivery network and DDoS mitigation company Cloudflare revealed this week that at least 76 employees and their family members received text messages on their personal and work phones.

According to the company, the attack is very similar to the one that recently targeted the Communications company Twilio.

“Yesterday, August 8, 2022, Twilio shared that they’d been compromised by a targeted phishing attack. Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees.” reads the announcement published by Cloudflare. “While individual employees did fall for the phishing messages, we were able to thwart the attack through our own use of Cloudflare One products, and physical security keys issued to every employee that are required to access all our applications.”

Cloudflare pointed out that its systems were not compromised, it also added that its Cloudforce One threat intelligence team was able to perform additional analysis of the attack.

The experts believe that this is a sophisticated attack targeting employees and systems of multiple organizations,

On July 20, 2022, the company received reports of employees receiving text messages containing links to what appeared to be a Cloudflare Okta login page. The company uses Okta as its identity provider and messages include a link to a phishing page that was designed to look identical to a legitimate Okta login page.  The attackers sent the messages to at least 76 employees in less than 1 minute, but the company security team was not able to determine how the threat actors obtained the list of employees’ phone numbers.

“They came from four phone numbers associated with T-Mobile-issued SIM cards: (754) 268-9387, (205) 946-7573, (754) 364-6683 and (561) 524-5989. They pointed to an official-looking domain: cloudflare-okta.com.” continues the report. “That domain had been registered via Porkbun, a domain registrar, at 2022-07-20 22:13:04 UTC — less than 40 minutes before the phishing campaign began.”

Once the recipient of the message has provided his credentials through the phishing page, the credentials were immediately sent to the attacker via the messaging service Telegram. Experts states that the real-time relay was crucial for the attackers because the phishing page would also prompt for a Time-based One Time Password (TOTP) code. Once obtained this info the attackers can access the victim company’s actual login page.

According to Cloudflare, only three employees fell for the phishing message and entered their credentials. However, the company does not use TOTP codes, instead, its employees use a FIDO2-compliant security YubiKey key. This means that without the hardware key, attackers cannot access the company systems even knowing the credentials.

Researchers also discovered that in some cases the phishing page was used to deliver the malicious payloads, including AnyDesk’s remote access software. The software would allow an attacker to control the victim’s machine remotely.

“We confirmed that none of our team members got to this step. If they had, however, our endpoint security would have stopped the installation of the remote access software.” concludes Cloudflare.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, smishing)

[adrotate banner=”5″]

[adrotate banner=”13″]