Hardware MFA Stops Attack on Cloudflare
Attack That Affected Twilio Was Not Effective Against CloudflareCloudflare is touting hardware multifactor authentication as the saving grace that protected it from a targeted phishing attack, unlike tech colleagues down the street at virtual communications firm Twilio.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
The internet infrastructure company said the same attackers that went after Twilio last week also sent Cloudflare employees malicious SMS messages with links to phishing sites dressed up as an official company website.
The difference? Despite employees at both San Francisco-based companies taking the bait, Cloudflare said attackers were unable to snatch the full logon credentials of its workers. That's because the company's second layer of authentication isn't time-limited one-time codes, such as those from a second-factor app.
"Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey," the company said.
Cloudflare reports that at least 76 of its employees received phishing text messages on their mobile phones on July 20, from four T-Mobile-issued SIM card numbers.
Although the attackers siphoned the credentials, the hard key authentication requirement stopped them from snatching a soft token that fooled employees otherwise would have entered into the phishing site.
Dissecting the Phishing Campaign
Cloudflare uses Okta as an identity provider for services that manage user accounts. Okta enables end users to self-register with custom applications by initially authenticating with a social account or a smart card. The attackers precisely leveraged this service in their phishing messages.
The text in the phishing messages contained a legitimate-looking link cloudflare-okta.com
, which Cloudflare said was registered less than an hour before the phishing campaign began. The link directed to an identical yet fake Okta login page for Cloudflare that prompted the visitors to enter their login credentials.
At the back end, the attackers had a real-time relay system in place to bypass two-factor authentication security. They used the instant messaging service Telegram to transmit credentials followed with the relay of a one-time password code as soon as the victim entered them on the phishing page.
The phishing page also downloaded a payload that included AnyDesk's remote access software. If installed, this would have granted the attacker complete remote access to the victim's machine. None of Cloudflare's employees reached this step, the company said.
Measures Taken
In response to this campaign and to plug the gaps in its systems for avoiding any similar future episodes, the company has now taken multiple measures that include:
- Blocking the phishing domain using Cloudflare Gateway;
- Making adjustments to Cloudflare Gateway settings to restrict or sandbox access to sites running on domains that were registered within the last 24 hours;
- Identifying and resetting compromised employee credentials;
- Updating threat actor-specific detections to identify further attack attempts;
- Auditing access logs of all systems to find additional indications of attack.
Like Twilio, Cloudflare's investigation found indicators that the attacker was targeting other organizations too. The company has contacted these organizations and shared their intelligence with them. Twilio's data breach notification says the threat actors are hopscotching through wireless providers and hosting providers as launching pads for their attacks.