/plushcap/analysis/cloudflare/2022-07-sms-phishing-attacks

The mechanics of a sophisticated phishing scam and how we stopped it

What's this blog post about?

On August 8, 2022, Twilio was compromised by a targeted phishing attack. Around the same time, Cloudflare experienced an attack with similar characteristics targeting its employees. Despite some individual employees falling for the phishing messages, Cloudflare managed to thwart the attack using their own Cloudflare One products and physical security keys issued to every employee. No Cloudflare systems were compromised. The targeted text messages contained a link pointing to what appeared to be a legitimate Okta login page. If clicked on, it took users to a phishing page designed to look identical to an Okta login page. Three Cloudflare employees fell for the phishing message and entered their credentials, but the attacker could not get past the hard key requirement as every employee at the company is issued a FIDO2-compliant security key from vendors like YubiKey. The phishing page also initiated the download of a remote access software if someone made it past the earlier steps. Cloudflare took several measures to respond to this incident, including blocking the phishing domain using Cloudflare Gateway, identifying all impacted employees and resetting compromised credentials, taking down threat-actor infrastructure, updating detections to identify any subsequent attack attempts, and auditing service access logs for any additional indications of attack. Lessons learned from this attack include adjusting settings for Cloudflare Gateway, using Cloudflare's own technology to protect employees and systems, having a paranoid but blame-free culture, requiring hard keys for access to all applications, and tightening up Access implementation to prevent any logins from unknown VPNs, residential proxies, and infrastructure providers.

Company
Cloudflare

Date published
Aug. 9, 2022

Author(s)
Matthew Prince, Daniel Stinson-Diess, Sourov Zaman

Word count
2057

Language
English

Hacker News points
130


By Matt Makai. 2021-2024.