Cloudflare has revealed it foiled a Twilio-like cyber attack thanks to its company-wide use of hardware-based, FIDO2-compliant hardware keys it uses for secure multi-factor authentication (MFA).

The cloud firm said the incident occurred around the same time as Twilio was struck by a sophisticated phishing attack that successfully tricked employees into believing they needed to change their company passwords.

At Cloudflare, although some employees did fall for the phishing messages, the company said it was able to stop the attack using its Cloudflare One products, as well as the physical security keys its employees use to access every application.

“We have confirmed that no Cloudflare systems were compromised,” the firm said in a blog post.

Back on 20 July, Cloudfare’s Security team received reports of employees receiving “legitimate-looking text messages” which mimicked a link to a Cloudflare Okta login page. The attempts were sent to both personal and work devices, with some even being sent to employees’ family members.

“We have not yet been able to determine how the attacker assembled the list of employees phone numbers but have reviewed access logs to our employee directory services and have found no sign of compromise,” Cloudfare said.

The company said its secure registrar system, which monitors when domains are set up to use the Cloudflare brand, did not detect its registration as it was set up less than 40 minutes before the phishing campaign began.

The phishing page was designed in such a way that the victims credentials would be relayed to the attacker via messaging service Telegram. It would then prompt for a Time-based One Time Password (TOTP) code.

This would defeat most two-factor authentication (2FA) systems as the attacker would receive the credentials in real time, enter them into a company’s actual login page, and trigger a code to be sent via SMS or a password generator.

The employee would then enter the TOTP code on the phishing site, sending it straight to the attacker, who is then able to use it on the genuine site before it expires.

Unfortunately for the attackers, however, Cloudflare doesn’t use TOTP codes. Instead, the firm provides its employees with FIDO2-compliant security keys which are tied to individual users. That means a real-time phishing attack such as this is unable to collect the information required to access company systems.

“While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement,” Cloudflare said.

Had the attackers got past these hurdles, Cloudflare said the phishing page would then have downloaded a phishing payload which included AnyDesk’s remote access software which would allow the attackers to control the victims device remotely.

The company said the attack did not progress that far – but its endpoint security would have thwarted the installation if it had.

Despite the attack failing, Cloudflare added that it would be making adjustments such as restricting access to sites running on domains registered in the previous 24 hours, as well as running new key terms through its browser isolation technology.

The firm’s Cloudflare Area 1 solution’s phishing identification tech will also now scan the web for pages designed to target the company, while logins from unknown virtual private networks (VPNs) will be canned.

Read More: CloudFlare cyber security security Twilio

Phishing attempt was unable to gather information required to access the company’s systems thanks to secure hardware MFA

Cyber resiliency is a key building block and enabler for the economies of tomorrow

The attack has been attributed to an initial access broker linked to LAPSUS$ and the Yanluowang ransomware groups

A five-year-old Microsoft Office vulnerability was enough to gain a significant foothold in some of the most high-value organisations in each country

The Art Data Centre Campus will create between 400- 450 permanent jobs when the data centre campus is fully operational

The latest from TechCentral.ie direct to your inbox daily Leave this field empty if you're human:

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorised as necessary are stored on your browser as they are as essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorised as necessary are stored on your browser as they are as essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Strictly necessary cookies are essential in order to enable you to move around the site, use its features and/or services. We also use a cookie that allows us to track our critical web indicators so that we understand our audience. Any cookies used in this way are first party only in nature and are fully aggregated and anonymous. Without these cookies, the Site will not perform as smoothly for you as we would like it to and we may not be able to provide the Site or certain services or features.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.