Cloudflare says it was almost fooled by a phishing attack

Cartoon Phishing
(Image credit: Shutterstock / DRogatnev)

Cloudflare employees were recently targeted by a “sophisticated” cyberattack, and even though some fell for the scheme, the DDoS protection company managed to successfully defend itself. 

In a blog post, Cloudflare co-founder Matthew Prince, together with team members Daniel Stinson-Diess and Sourov Zaman, explained how the attack happened and what made the difference between success and failure.

The threat actor made a couple of key preparations ahead of the attack: they registered a domain that looked legitimate and would fool many victims: cloudflare-okta.com. Okta is Cloudflare’s identity provider. They also managed to somehow obtain the phone numbers of almost 80 Cloudflare employees, as well as family members for some.

Time-based passcodes vs security keys

After the attack, Cloudflare sought to understand how the threat actors obtained these phone numbers but came up empty given that access logs to employee directories showed no signs of compromise.

Then, they created a phishing page that looks identical to the genuine Okta login page and hosted it on DigitalOcean. They also set the page up in such a way that the login credentials submitted would be sent, in real-time, via Telegram, to the attackers. That way, the crooks would be able to submit them to the actual Okta login page right away and have enough time to obtain any two-factor authentication from the victims, as well.

Once all the preparations were done, they sent out an SMS message to everyone, saying “Alert! Cloudflare schedule has been updated”, and provided a link. 

While most employees did not fall for the trick, some did. However, Cloudflare’s additional security measures ensured that the attackers never got access to its systems. The company does not use Time-based One Time Passcode (TOTP), but instead relies on FIDO2-compliant security keys. 

“Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems,” the authors explained. “While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.”

It seems as Cloudflare dodged this bullet, but it says that due to the sophistication of the attack, many other victims might not. Those that fell for the trick, probably ended up with AnyDesk’s remote access software installed on the endpoints. “That software, if installed, would allow an attacker to control the victim’s machine remotely,” the company concluded.

"Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees. While individual employees did fall for the phishing messages, we were able to thwart the attack through our own use of Cloudflare One products, and physical security keys issued to every employee that are required to access all our applications. We have confirmed that no Cloudflare systems were compromised. Our Cloudforce One threat intelligence team was able to perform additional analysis to further dissect the mechanism of the attack and gather critical evidence to assist in tracking down the attacker."

The attack comes shortly after Twilio also revealed it was hit by a similar phishing attack, where hackers tricked company employees into giving away their login credentials which were then used to sneak into the company network, map out the endpoints, and steal even more data. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Fraude en ligne phishing
Google forced to step up phishing defenses following ‘most sophisticated attack’ it has ever seen
A person using a smartphone with a cybersecurity lock symbol appearing over it.
The growing threat of device code phishing and how to defend against It
Best email services: image of email with one unread message alert
Over 400 million unwanted and malicious emails were received by businesses in 2024
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
Representational image of a shrouded hacker.
Getting to grips with Adversary-in-the-Middle threats
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does