Phishing attempt failed to collect information needed to access company’s systems thanks to secure hardware MFA
Pro
Image: Shutterstock
Cloudflare has revealed that it has thwarted a Twilio-style cyber-attack thanks to the company-wide use of hardware-based, FIDO2-compatible hardware keys that it uses for secure multi-factor authentication (MFA).
The cloud company said the incident happened around the same time that Twilio was hit by a sophisticated phishing attack that successfully tricked employees into changing their company passwords.
At Cloudflare, although some employees fell for the phishing messages, the company said it could stop the attack using its Cloudflare One products, as well as the physical security keys its employees use to access each application.
“We have confirmed that no Cloudflare systems have been compromised,” the company said in a blog post.
On July 20, Cloudfare’s security team received reports of employees receiving “legitimate-looking text messages” that mimicked a link to a Cloudflare Okta login page. The attempts were sent to both personal and business devices, and some were even sent to employees’ relatives.
“We have not yet been able to determine how the attacker compiled the employee phone number list, but have looked at access logs to our personnel directory services and found no sign of compromise,” Cloudfare said.
The company said its secure registrar system, which monitors when domains are set up to use the Cloudflare brand, failed to detect the registration because it was set up less than 40 minutes before the phishing campaign began.
The phishing page is designed to pass the victim’s credentials to the attacker via the Telegram messaging service. It would then ask for a Time-based One Time Password (TOTP) code.
This would defeat most two-factor authentication (2FA) systems, as the attacker would receive the credentials in real time, enter it into a company’s actual login page, and activate a code that would be sent via SMS or a password generator. .
The agent would then enter the TOTP code on the phishing site and send it directly to the attacker, who can then use it on the real site before it expires.
Unfortunately for the attackers, however, Cloudflare does not use TOTP codes. Instead, the company offers its employees: FIDO2-compatible security keys associated with individual users. That means a real-time phishing attack like this is unable to collect the information needed to access corporate systems.
“While the attacker tried to log into our systems with the compromised username and password information, they couldn’t get past the hard key requirement,” Cloudflare said.
If the attackers had overcome these hurdles, Cloudflare said the phishing page would have downloaded a phishing payload containing AnyDesk’s remote access software that allowed the attackers to control the victim’s device remotely.
The company said the attack hadn’t progressed that far, but endpoint security would have thwarted the installation if it had.
Despite the attack failing, Cloudflare added it would make changes, such as restricting access to sites running on domains registered in the last 24 hours, and running new key terms through its browser isolation technology.
The phishing identification technology of the company’s Cloudflare Area 1 solution will now also scan the web for pages designed to target the company, while canning logins from unknown virtual private networks (VPNs).
© Dennis Publishing
