Cloudflare Exposes Phishing Attempt Targeting Employees Amid Twilio Data Breach
On Tuesday, Cloudflare, a leading web infrastructure provider, revealed a sophisticated phishing attack that affected at least 76 employees and their family members. The incident involved text messages sent to personal and work phones, resembling a previously reported phishing operation against Twilio, a competitor that recently suffered a serious breach.
The phishing attempt coincided with the Twilio attack and originated from four phone numbers linked to T-Mobile-issued SIM cards. Fortunately, this campaign proved unsuccessful, as Cloudflare’s internal safeguards remained intact. The fraudulent messages directed employees to a seemingly legitimate domain containing the terms “Cloudflare” and “Okta,” designed to trick individuals into providing their login credentials.
Less than 40 minutes after the rogue domain’s registration through Porkbun, Cloudflare’s employees received an onslaught of over 100 “smishing” messages. The phishing setup was engineered to relay any credentials entered by unsuspecting victims to the attacker via Telegram, essentially in real-time. This design allowed the attackers to circumvent two-factor authentication (2FA) measures; Time-based One-Time Password (TOTP) codes entered on the fraudulent page were also transmitted to the attackers, enabling successful logins with stolen credentials.
Despite the risk, three Cloudflare employees fell victim to this phishing scheme. However, the company’s implementation of FIDO2-compliant physical security keys prevented any further breach of internal systems. Cloudflare emphasized that these security keys, which require user verification and implement origin binding, render information collected during such phishing attempts ineffective for logging into secure systems.
The impact of this attack extended beyond credential theft. If an employee had successfully logged in, the fraudulent landing page was programmed to automatically download AnyDesk’s remote access software, which could have facilitated further compromise of the victim’s system.
In response to the incident, Cloudflare collaborated with DigitalOcean to dismantle the attacker’s infrastructure and reset the credentials of affected employees. The company is also reinforcing its access policies to block any logins from suspicious VPNs, residential proxies, and infrastructure providers.
This incident emphasizes the ongoing challenges in cybersecurity for organizations in the tech sector. It arrives on the heels of Twilio’s announcement that hackers managed to phish credentials from an undisclosed number of its employees, leading to unauthorized access to internal systems and customer accounts.
From a cybersecurity perspective, this event highlights critical tactics outlined in the MITRE ATT&CK framework, particularly those pertaining to initial access via phishing, attempts at credential dumping, and the exploitation of persistent access mechanisms. As businesses continue to face similar threats, maintaining robust security protocols and employee training becomes increasingly important.
