Internet infrastructure company Cloudflare recently announced it successfully defended against a cyberattack targeting employees with the use of one of its own security products.
The company said that thanks to its Cloudflare One products and the hardware security keys issued to every employee, which are needed to access all its applications, a phishing campaign failed to compromise any systems, despite some employees falling for the scam.
Cloudflare notes that this was a sophisticated cyberattack targeting employees in a way that it believes would be successful against most organizations.
One of the reasons for sharing this information, the company said, is because of "very similar characteristics" to the cyberattack that hit Twilio customer accounts earlier this week. The Twilio communications API allows developers to build voice and SMS capabilities into their apps.
Since the attacker is likely targeting multiple organizations with the same tactics, Cloudflare wanted to share a breakdown of exactly what happened.
Phishing campaign targets Cloudflare
The Cloudflare Security team received multiple reports on July 20th of employees receiving what looked like legitimate text messages with a link to a fake Cloudflare Okta login page. In less than 60 seconds, a total of 76 employees received text messages on their personal and work phones, and even some family members received messages.
The text looked like this:
And the phishing page looked like this:
The cloudflare-okta.com domain appeared legitimate, but it had only been registered via a domain registrar 40 minutes before the attack. Cloudflare's secure registrar product would have normally flagged and terminated this domain, but since it happened so close to the phishing attack, it was not detected.
What really saved Cloudflare in this situation is that every employee is issued a FIDO2-compliant security key. The company blog says:
"Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems. While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement.
If someone made it past those steps, the phishing page then initiated the download of a phishing payload which included AnyDesk's remote access software. That software, if installed, would allow an attacker to control the victim's machine remotely. We confirmed that none of our team members got to this step. If they had, however, our endpoint security would have stopped the installation of the remote access software."
5 steps to block a phishing attack
Cloudflare shared that it took five simple steps in responding to the cyberattack, which were as follows:
Block the phishing domain using Cloudflare Gateway
Identify all impacted Cloudflare employees and reset compromised credentials
Identify and take down threat-actor infrastructure
Update detections to identify any subsequent attack attempts
Audit service access logs for any additional indications of attack
For more information on the phishing campaign that targeted Cloudflare and how the company responded, see its report.