Rewterz Threat Update – Cloudflare Targeted By The Same Hackers Behind Twilio Breach

Severity

High

Analysis Summary

Cloudflare claims that some of its employees’ credentials were also stolen in an SMS phishing attack identical to the one that led to the breach of Twilio’s network last week. They stated that least 76 workers and their families had received texts on both their personal and work phones.

Even though the attackers gained access to the accounts of Cloudflare workers, they were unable to compromise the company’s systems since their attempts to log in using those accounts were rejected because they lacked the victims’ company-issued FIDO2-compliant security keys.

Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees.” published by Cloudflare. 

“While individual employees did fall for the phishing messages, we were able to thwart the attack through our own use of Cloudflare One products, and physical security keys issued to every employee that are required to access all our applications.”

At least 76 workers received messages in July 2022 with the links that redirected their intended targets to a Cloudflare-hosted copy of the Okta login page hosted on the cloudflare-okta[.]com domain.The security team was unable to ascertain how threat actors gained the phone numbers of employees.

Image Source:

The company said that the attackers were successful in accessing some of its customers’ data through breaching internal systems using stolen credentials that were acquired during the phishing attack.

Researchers also observed that the phishing website was utilized in certain circumstances to distribute malicious payloads, including AnyDesk’s remote access software. The programme would allow an attacker to remotely control the victim’s PC.

“They came from four phone numbers associated with T-Mobile-issued SIM cards: (754) 268-9387, (205) 946-7573, (754) 364-6683 and (561) 524-5989. They pointed to an official-looking domain: cloudflare-okta.com.” continues the report. 

This domain was registered through the Porkbun domain registrar, which was also used to host landing pages in the Twilio attack. The attackers were successful in accessing a few of its customers’ data via breaching internal systems using stolen credentials that were acquired during the phishing attack.

In response to this attack, the company took several steps, including blocking the phishing domain with Cloudflare Gateway, upgrading detections to identify any further attack attempts, and auditing service access logs for any additional indications of attack.

“We confirmed that none of our team members got to this step. If they had, however, our endpoint security would have stopped the installation of the remote access software.” concludes Cloudflare.

Impact

• Credential Theft
• Data Breach Attempt

Remediation

• Block the phishing domain
• Determine all Cloudflare personnel that are affected and reset any compromised credentials.
• Determine and eliminate threat-actor infrastructure.
• Update detections to detect any additional attacks.
• Examine service access logs for any additional signs of an attack
• Enforced Access Management Policies
• Terminate all accounts associated with an employee or contractor immediately upon dismissal.
• Prohibit password sharing
• Do not use the same password for multiple platforms, servers, or networks.
• Restrict installation of untrusted 3rd Party application
• Maintain daily backups of all computer networks and servers.