At least two security-sensitive companies – Twilio and Cloudflare – were targeted by a phishing attack by a sophisticated threat actor who possessed the phone numbers of not only employees, but also employees’ relatives.
In the case of Twilio, a San Francisco-based provider of two-factor authentication and communications services, the unknown hackers managed to phishing the credentials of an undisclosed number of employees, and from there gained unauthorized access to the company’s internal systems. said. The threat actor then used that access to data in an undisclosed number of customer accounts.
Two days after Twilio’s unveiling, content delivery network Cloudflare, also headquartered in San Francisco, revealed that it had also been attacked in a similar fashion. Cloudflare said three of its employees fell for the phishing scam, but the company’s use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.
Well Organized, Refined, Methodical
In both cases, the attackers somehow obtained the home and work phone numbers of both employees and, in some cases, their relatives. The attackers then sent text messages disguised as official company communications. The messages made false claims, such as a change in an employee’s schedule, or the password they used to log into their work account had been changed. After an employee entered credentials on the fake site, he initiated the download of a phishing payload that, when clicked, installed remote desktop software from AnyDesk.
The threat actor executed his attack with near-surgical precision. At least 76 employees received a message in the first minute of the attacks on Cloudflare. The messages came from various T-Mobile phone numbers. The domain used in the attack had been registered just 40 minutes earlier, thwarting the domain protection Cloudflare uses to detect scam sites.
“Based on these factors, we have reason to believe that the threat actors are well-organized, sophisticated and methodical in their actions,” Twilio wrote. “We have not yet identified the specific threat actors at work here, but have been reaching out to law enforcement agencies in our efforts. Social engineered attacks are – by their very nature – complex, sophisticated and built to challenge even the most sophisticated defenses. “
Matthew Prince, Daniel Stinson-Diess, Sourov Zaman — Cloudflare CEO, senior security engineer and incident response leader, respectively — had a similar view.
“This was a sophisticated attack that targeted employees and systems in a way that we believe would breach most organizations,” they wrote. “Since the attacker is targeting multiple organizations, we wanted to provide an overview of exactly what we saw here to help other companies recognize and mitigate this attack.”
Twilio and Cloudflare said they don’t know how the phishers got employee numbers.
It’s impressive that despite three of its employees falling for the scam, Cloudflare made sure its systems weren’t breached. The company’s use of hardware-based security keys that comply with the FIDO2 standard for MFA was a critical reason. If the company had relied on one-time passwords from text messages sent or even generated by an authentication app, it probably would have been a different story.
The Cloudflare officials explained:
When the phishing page was completed by a victim, the credentials were immediately forwarded to the attacker via the Telegram messaging service. This real-time relay was important because the phishing page would also ask for a Time-based One Time Password (TOTP) code.
Presumably, the attacker would receive the credentials in real time, enter them into a victim company’s actual login page and, for many organizations, generate a code that is sent to the employee via SMS or displayed on a password generator. The employee would then enter the TOTP code into the phishing site, and it would also be passed on to the attacker. Before the TOTP code expires, the attacker can then use it to access the company’s actual login page, defeating most implementations of two-factor authentication.
We’ve confirmed that three Cloudflare employees fell for the phishing message and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee of the company gets a FIDO2-compliant security key from a vendor like YubiKey. Because the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this can’t collect the information needed to log into one of our systems. Although the attacker attempted to log into our systems with the compromised username and password information, they were unable to pass the hard key requirement.
Cloudflare went on to say that it was not disciplining the employees that fell for the scam and explained why.
“Having a paranoid but guilt-free culture is critical to security,” the officials wrote. “The three employees who fell for the phishing scam were not reprimanded. We are all human and we make mistakes. It is critical that we report this and not hide it.”