Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Cloudflare Also Targeted by Hackers Who Breached Twilio

The threat actor that recently breached Twilio systems also targeted Cloudflare, and a few of the web security company’s employees fell for the phishing messages.

The threat actor that recently breached Twilio systems also targeted Cloudflare, and a few of the web security company’s employees fell for the phishing messages.

Twilio revealed over the weekend that it became aware of unauthorized access to some of its systems on August 4. An investigation showed that the attackers had tricked some of its employees into providing their credentials, which they then used to access internal systems and obtain customer data.

The threat actor sent phishing text messages to Twilio employees to trick them into entering their credentials on a malicious website. The messages informed recipients of expired passwords and schedule changes, and pointed to domains that included the words ‘Twilio’, ‘Okta’ and ‘SSO’.

The enterprise communications firms noted that the attacker, which it described as well organized and sophisticated, “seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”

Cloudflare revealed on Tuesday that its own employees also received similar text messages, on July 20. The company said more than 100 SMS messages were sent to its employees and their families, pointing them to websites hosted on domains that appeared to belong to Cloudflare.

Cloudflare phishing

Cloudflare uses Okta identity services and the phishing page looked identical to the legitimate Okta login page. If users entered their username and password, the credentials would be sent to the attacker, who likely attempted to use them immediately to log into Cloudflare systems. This would prompt them for second-factor authentication — typically a code received via SMS or from a dedicated app — and the phishing page would then also prompt the victim to enter a code, which would also be sent to the attacker.

However, in the case of Cloudflare, while three employees did enter their credentials on the phishing site, the company uses physical security keys from vendors such as YubiKey for two-factor authentication, which prevented the attacker from accessing its systems.

According to Cloudflare, the phishing page was also set up to deliver the AnyDesk remote access software, which would give the attacker control over the victim’s computer. The company said none of its employees got to this step and it’s confident that its security systems would have blocked the installation of the software.

Both Cloudflare and Twilio have taken action to disrupt the infrastructure used by the attackers, but they appeared to be persistent, changing mobile carriers and hosting providers in an effort to continue their attack.

Cloudflare monitors the web for potentially malicious domains, but the domain used in this attack was registered only an hour before the first phishing messages went out and the company had yet to notice them.

The attack has yet to be linked to a known threat actor, but Cloudflare has shared some indicators of compromise (IoCs), as well as information on the infrastructure used by the attacker.

Related: Cryptocurrency Services Hit by Data Breach at CRM Company HubSpot

Related: Microsoft, Okta Confirm Data Breaches Involving Compromised Accounts

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.