Cloudflare employees were recently targeted by a “sophisticated” cyberattack, and even though some fell for the scheme, the DDoS protection company managed to successfully defend itself.
In a blog post, Cloudflare co-founder Matthew Prince, together with team members Daniel Stinson-Diess and Sourov Zaman, explained how the attack happened and what made the difference between success and failure.
The threat actor made a couple of key preparations ahead of the attack: they registered a domain that looked legitimate and would fool many victims: cloudflare-okta.com. Okta is Cloudflare’s identity provider. They also managed to somehow obtain the phone numbers of almost 80 Cloudflare employees, as well as family members for some.
Time-based passcodes vs security keys
After the attack, Cloudflare sought to understand how the threat actors obtained these phone numbers but came up empty given that access logs to employee directories showed no signs of compromise.
Then, they created a phishing page that looks identical to the genuine Okta login page and hosted it on DigitalOcean. They also set the page up in such a way that the login credentials submitted would be sent, in real-time, via Telegram, to the attackers. That way, the crooks would be able to submit them to the actual Okta login page right away and have enough time to obtain any two-factor authentication from the victims, as well.
Once all the preparations were done, they sent out an SMS message to everyone, saying “Alert! Cloudflare schedule has been updated”, and provided a link.
While most employees did not fall for the trick, some did. However, Cloudflare’s additional security measures ensured that the attackers never got access to its systems. The company does not use Time-based One Time Passcode (TOTP), but instead relies on FIDO2-compliant security keys.
“Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems,” the authors explained. “While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.”
It seems as Cloudflare dodged this bullet, but it says that due to the sophistication of the attack, many other victims might not. Those that fell for the trick, probably ended up with AnyDesk’s remote access software installed on the endpoints. “That software, if installed, would allow an attacker to control the victim’s machine remotely,” the company concluded.
"Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees. While individual employees did fall for the phishing messages, we were able to thwart the attack through our own use of Cloudflare One products, and physical security keys issued to every employee that are required to access all our applications. We have confirmed that no Cloudflare systems were compromised. Our Cloudforce One threat intelligence team was able to perform additional analysis to further dissect the mechanism of the attack and gather critical evidence to assist in tracking down the attacker."
The attack comes shortly after Twilio also revealed it was hit by a similar phishing attack, where hackers tricked company employees into giving away their login credentials which were then used to sneak into the company network, map out the endpoints, and steal even more data.
- These are the best firewalls around