Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Cloudflare Also Targeted by Hackers Who Breached Twilio

The threat actor that recently breached Twilio systems also targeted Cloudflare, and a few of the web security company’s employees fell for the phishing messages.

The threat actor that recently breached Twilio systems also targeted Cloudflare, and a few of the web security company’s employees fell for the phishing messages.

Twilio revealed over the weekend that it became aware of unauthorized access to some of its systems on August 4. An investigation showed that the attackers had tricked some of its employees into providing their credentials, which they then used to access internal systems and obtain customer data.

The threat actor sent phishing text messages to Twilio employees to trick them into entering their credentials on a malicious website. The messages informed recipients of expired passwords and schedule changes, and pointed to domains that included the words ‘Twilio’, ‘Okta’ and ‘SSO’.

The enterprise communications firms noted that the attacker, which it described as well organized and sophisticated, “seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”

Cloudflare revealed on Tuesday that its own employees also received similar text messages, on July 20. The company said more than 100 SMS messages were sent to its employees and their families, pointing them to websites hosted on domains that appeared to belong to Cloudflare.

Cloudflare phishing

Cloudflare uses Okta identity services and the phishing page looked identical to the legitimate Okta login page. If users entered their username and password, the credentials would be sent to the attacker, who likely attempted to use them immediately to log into Cloudflare systems. This would prompt them for second-factor authentication — typically a code received via SMS or from a dedicated app — and the phishing page would then also prompt the victim to enter a code, which would also be sent to the attacker.

However, in the case of Cloudflare, while three employees did enter their credentials on the phishing site, the company uses physical security keys from vendors such as YubiKey for two-factor authentication, which prevented the attacker from accessing its systems.

Advertisement. Scroll to continue reading.

According to Cloudflare, the phishing page was also set up to deliver the AnyDesk remote access software, which would give the attacker control over the victim’s computer. The company said none of its employees got to this step and it’s confident that its security systems would have blocked the installation of the software.

Both Cloudflare and Twilio have taken action to disrupt the infrastructure used by the attackers, but they appeared to be persistent, changing mobile carriers and hosting providers in an effort to continue their attack.

Cloudflare monitors the web for potentially malicious domains, but the domain used in this attack was registered only an hour before the first phishing messages went out and the company had yet to notice them.

The attack has yet to be linked to a known threat actor, but Cloudflare has shared some indicators of compromise (IoCs), as well as information on the infrastructure used by the attacker.

Related: Cryptocurrency Services Hit by Data Breach at CRM Company HubSpot

Related: Microsoft, Okta Confirm Data Breaches Involving Compromised Accounts

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.