Phishers who breached Twilio and fooled Cloudflare could easily get you, too

An advanced threat actor who had possession of home phone numbers of employees and their family members was behind the attack on two security-sensitive companies.

The company said that the unknown hackers gained unauthorized access to the company's internal systems after they tricked a number of employees into giving up their credentials. A number of customer accounts were used by the threat actor.

Cloudflare, which is based in San Francisco, revealed it had also been targeted in the same way. The company's use of hardware-based keys prevented would-be attackers from gaining access to its network, despite three employees falling for the scam.

Well-organized, sophisticated, methodical

The attackers obtained the home and work phone numbers of both employees and their family members. The attackers sent text messages that looked like they were from the company. There were false claims made such as a change in an employee's schedule or the password they used to log in to their work account. When an employee entered credentials into the fake site, it initiated the download of a phish that would install remote desktop software from AnyDesk

The threat actor did a great job. 76 employees got a message in the first minute after the attacks. Some of the phone numbers that sent the messages were owned by T-Mobile. The domain that was used in the attack had only been registered 40 minutes before.

Advertisement

We have reason to believe that the threat actors are well-organized, sophisticated, and methodical. We haven't identified the specific threat actors at work yet, but we've been in contact with law enforcement. By their nature, socially engineered attacks are complex, advanced, and built to challenge even the most advanced defenses.

The CEO, senior security engineer and incident response leader had the same take.

Most organizations would be likely to be breached by this sophisticated attack targeting employees and systems. We wanted to give a rundown of what we saw in order to help other companies recognize and mitigate the attack.

The phishers did not know how to get employee numbers.

Even though three of its employees fell for the scam, Cloudflare kept its systems safe. The company uses hardware-based security keys that comply with the FIDO2 standard. It would have been different if the company had used one-time passwords from sent text messages.

The officials from Cloudflare gave an explanation.

When the phishing page was completed by a victim, the credentials were immediately relayed to the attacker via the messaging service Telegram. This real-time relay was important because the phishing page would also prompt for a Time-based One Time Password (TOTP) code.

Presumably, the attacker would receive the credentials in real-time, enter them in a victim company’s actual login page, and, for many organizations that would generate a code sent to the employee via SMS or displayed on a password generator. The employee would then enter the TOTP code on the phishing site, and it too would be relayed to the attacker. The attacker could then, before the TOTP code expired, use it to access the company’s actual login page — defeating most two-factor authentication implementations.

We confirmed that three Cloudflare employees fell for the phishing message and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey. Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems. While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.

The employees who fell for the scam were not disciplined by the company.

Advertisement

It is important for security to have a paranoid but blame-free culture. Three employees were not reprimanded for falling for a scam. Humans make mistakes. We have to report them and not cover them up.