Hardware MFA Stops Attack on CloudflareAttack That Affected Twilio Was Not Effective Against Cloudflare
Cloudflare is touting hardware multifactor authentication as the saving grace that protected it from a targeted phishing attack, unlike tech colleagues down the street at virtual communications firm Twilio.
The internet infrastructure company says the same attackers that went after Twilio last week also sent Cloudflare employees malicious SMS messages with links to phishing sites dressed up as an official company website.
The difference? Despite employees at both San Francisco-based companies taking the bait, Cloudflare said attackers were unable to snatch the full logon credentials of its workers. That's because the company's second layer of authentication isn't time-limited one-time codes, such as those from a second-factor app.
"Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey," the company says.
Cloudflare reports that at least 76 of its employees received phishing text messages on their mobile phones on July 20, from four T-Mobile-issued SIM card numbers.
Although the attackers siphoned the credentials, the hard key authentication requirement stopped them from snatching a soft token that fooled employees otherwise would have entered into the phishing site.
Dissecting the Phishing Campaign
Cloudflare uses Okta as an identity provider for services that manage user accounts. Okta enables end users to self-register with custom applications by initially authenticating with a social account or a smart card. The attackers precisely leveraged this service in their phishing messages.
The text in the phishing messages contained a legitimate-looking link
cloudflare-okta.com, which Cloudflare says was registered less than an hour before the phishing campaign began. The link directed to an identical yet fake Okta login page for Cloudflare that prompted the visitors to enter their login credentials.
At the back end, the attackers had a real-time relay system in place to bypass two-factor authentication security. They used the instant messaging service Telegram to transmit credentials followed with the relay of a one-time password code as soon as the victim entered them on the phishing page.
The phishing page also downloaded a payload that included AnyDesk's remote access software. If installed, this would have granted the attacker complete remote access to the victim's machine. None of Cloudflare's employees reached this step, the company says.
In response to this campaign and to plug the gaps in its systems for avoiding any similar future episodes, the company has now taken multiple measures that include:
- Blocking the phishing domain using Cloudflare Gateway;
- Making adjustments to Cloudflare Gateway settings to restrict or sandbox access to sites running on domains that were registered within the last 24 hours;
- Identifying and resetting compromised employee credentials;
- Updating threat actor-specific detections to identify further attack attempts;
- Auditing access logs of all systems to find additional indications of attack.
Like Twilio, Cloudflare's investigation found indicators that the attacker was targeting other organizations too. The company has contacted these organizations and shared their intelligence with them. Twilio's data breach notification says the threat actors are hopscotching through wireless providers and hosting providers as launching pads for their attacks.