At least two security-sensitive companies — Twilio and Cloudflare — were targeted in a phishing attack by an advanced threat actor who possessed the home phone numbers of not only employees but members of the public. employee’s family member.
In the case of Twilio, a San Francisco-based two-factor authentication and communication service provider, unidentified hackers succeeded in defrauding a number of employees. undisclosed and thereby gain unauthorized access to the company’s internal systems, the Company speak. The threat actor then used that access to data in a number of undisclosed customer accounts.
Two days after Twilio’s reveal, content delivery network Cloudflare, also headquartered in San Francisco, revealed that it had also been targeted in a similar way. Cloudflare speak that three company employees were caught by online fraud, but the company’s use of hardware-based MFA keys prevented intruders from gaining access to the company’s internal network.
Well organized, elaborate, methodical
In both cases, the attackers somehow obtained the home and work phone numbers of both employees and in some cases their family members. The attackers then sent text messages disguised to appear to be official company communications. Notifications that make false claims such as changing employee schedules or the password they use to log into work accounts have changed. After an employee entered credentials into the fake website, it started downloading a phishing payload that, when clicked, installs remote desktop software from AnyDesk.
The menace executes its attack with near surgical precision. When the attacks on Cloudflare, at least 76 employees received a message within the first minute. The messages came from multiple T-Mobile phone numbers. The domain used in the attack was registered just 40 minutes earlier, blocking domain protection Cloudflare uses to find impersonating sites.
“Based on these factors, we have reason to believe that the threat actors are well-organized, sophisticated, and methodical in their actions,” Twilio wrote. “We have yet to identify the specific threat actors working here, but have been in contact with law enforcement in our efforts. The attacks are socially engineered. societies are — by their very nature — complex, advanced, and built to challenge even the most advanced defenses.”
Matthew Prince, Daniel Stinson-Diess, Sourov Zaman – Cloudflare’s CEO, senior security engineer and incident response leader – share a similar view.
“This is a sophisticated attack targeting employees and systems in a way that we believe most organizations would potentially be compromised,” they wrote. “Given that attackers are targeting multiple organizations, we wanted to share here a summary of exactly what we’ve seen to help other companies recognize and mitigate this attack.”
Twilio and Cloudflare said they don’t know how the scammers obtained the employee numbers.
What’s impressive is that even though three of the company’s employees fell for the scam, Cloudflare kept its systems breach-free. The company’s use of FIDO2-compliant hardware-based security keys for MFA is an important reason. If the company relies on one-time passwords from sent text messages or even generated by an authenticator app, it could be a different story.
Cloudflare officials explained:
Once the victim completes the phishing page, the login credentials are immediately passed to the attacker via the Telegram messaging service. This real-time forwarding is important because the phishing site will also prompt for a Time-Based One-Time Password (TOTP) code.
Presumably, the attacker will receive the credentials in real time, enter them into the actual login page of the victim company, and for many organizations will generate a code sent to employees via SMS or displayed on password generator. The employee will then enter the TOTP code on the phishing site, and this code will also be forwarded to the attacker. An attacker can then, before the TOTP token expires, use it to access the company’s actual login page – defeating most two-factor authentication implementations.
We confirmed that three Cloudflare employees found the phishing message and entered their credentials. However, Cloudflare does not use TOTP tokens. Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey. Since the hard keys are tied to the user and perform an origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information needed to log into any system. Which of ours. While an attacker tries to log into our system with compromised username and password credentials, they cannot get past the hard lock request.
Cloudflare went on to say that they don’t discipline employees who cheated and explained why.
“Having a culture of paranoia but not being blamed is critical to security,” the officials wrote. “Three employees who commit fraud go unpunished. We’re all human and we make mistakes. It’s extremely important that when we do, we report them and don’t cover them up.”