Cloudflare scuppers Twilio-like cyber attack with hardware keys

Cloudflare has revealed it foiled a Twilio-like cyber attack thanks to its company-wide use of hardware-based, FIDO2-compliant hardware keys it uses for secure multi-factor authentication (MFA).

The cloud firm said the incident occurred around the same time as Twilio was struck by a sophisticated phishing attack that successfully tricked employees into believing they needed to change their company passwords.

At Cloudflare, although some employees did fall for the phishing messages, the company said it was able to stop the attack using its Cloudflare One products, as well as the physical security keys its employees use to access every application.

“We have confirmed that no Cloudflare systems were compromised,” the firm said in a blog post.

Back on July 20, Cloudfare’s Security team received reports of employees receiving “legitimate-looking text messages'' which mimicked a link to a Cloudflare Okta login page. The attempts were sent to both personal and work devices, with some even being sent to employees’ family members.

“We have not yet been able to determine how the attacker assembled the list of employees phone numbers but have reviewed access logs to our employee directory services and have found no sign of compromise,” Cloudfare said.

The company said its secure registrar system, which monitors when domains are set up to use the Cloudflare brand, did not detect its registration as it was set up less than 40 minutes before the phishing campaign began.

The phishing page was designed in such a way that the victims credentials would be relayed to the attacker via messaging service Telegram. It would then prompt for a Time-based One Time Password (TOTP) code.

This would defeat most two-factor authentication (2FA) systems as the attacker would receive the credentials in real time, enter them into a company’s actual login page, and trigger a code to be sent via SMS or a password generator.

The employee would then enter the TOTP code on the phishing site, sending it straight to the attacker, who is then able to use it on the genuine site before it expires.

Unfortunately for the attackers, however, Cloudflare doesn’t use TOTP codes. Instead, the firm provides its employees with FIDO2-compliant security keys which are tied to individual users. That means a real-time phishing attack such as this is unable to collect the information required to access company systems.

“While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement,” Cloudflare said.

Had the attackers got past these hurdles, Cloudflare said the phishing page would then have downloaded a phishing payload which included AnyDesk’s remote access software which would allow the attackers to control the victims device remotely.

The company said the attack did not progress that far - but its endpoint security would have thwarted the installation if it had.

Despite the attack failing, Cloudflare added that it would be making adjustments such as restricting access to sites running on domains registered in the previous 24 hours, as well as running new key terms through its browser isolation technology.

The firm’s Cloudflare Area 1 solution’s phishing identification tech will also now scan the web for pages designed to target the company, while logins from unknown virtual private networks (VPNs) will be canned.