BLOG

Twilio & Cloudflare… A Tale of Two Attacks

phishing attacks

Highly sophisticated Twilio & Cloudflare’s phishing attacks were performed on over 135+ organizations by attackers to gain unauthorized access.


Earlier this quarter, highly sophisticated phishing attacks were performed on over 135+ organizations. In this blog, we will discuss different phishing mechanisms that were leveraged by attackers to gain unauthorized access. We discuss this specifically in the context of Twilio & Cloudflare’s attacks.

“The attacks were part of a massive phishing campaign, that had netted almost 10,000 account credentials belonging to 130 organizations” - Reports Group-IB

What happened?

Twilio, a Cloud communication platform as a Service (CPaaS) was attacked by a sophisticated social engineering phishing attack. Around the same time in July 2022, Cloudflare saw an attack with very similar characteristics targeting Cloudflare’s employees.

The attackers behind the cyberattack attempts on Twilio and Cloudflare had cast a much wider net in their phishing expedition, targeting as many as 135 organizations—primarily IT, software development, and cloud services providers based in the US. The initial objective of the attackers was clear in 2 aspects:

  1. To obtain Okta identity credentials
  2. To obtain two-factor authentication (2FA) codes from users of the targeted organizations.

Twilio has now issued an updated advisory saying that a small number of users of Authy – which is Twilio's free two-factor authentication app – are based on further forensic work. Twilio said it has identified a total of 163 customers whose data was accessed by intruders.

"Our investigation has identified that the malicious actors gained access to the accounts of 93 individual Authy users, out of a total of approximately 75 million users, and registered additional devices to their accounts," Twilio said.

Real-Time Phishing

It appears that the attacker received the credentials in real time, entered them in a victim company’s actual login page, and generated a code sent to the employee via SMS or displayed on a password generator. The employee would then enter the TOTP (Time-based One Time Password) code on the phishing site, and it too would be relayed to the attacker. The attacker could then, before the TOTP code expired, use it to access the company’s actual login page — defeating most two-factor authentication implementations.

Phishing FlowPhishing Flow

Phishing Text Messages

The Cloudflare Security team received reports of employees receiving legitimate-looking text messages pointing to what appeared to be a Cloudflare Okta login page. The messages began at 2022-07-20 22:50 UTC. Over the course of less than 1 minute, at least 76 employees received text messages on their personal and work phones. The text messages received by employees looked like this:

Sample Cloudflare SMS phishingSample Cloudflare’s SMS phishing messages

Sample Twilios Phishing SMS

Sample Twilio’s phishing SMS messages

The phishing pages were designed to look identical to legitimate Okta login pages. The phishing page prompted anyone who visited it for their username and password. If the user clicked on the link it took to a phishing page. The URLs used words including “cloudflare-okta“ "twilio-okta" "Okta" and "SSO" (as shown in the above-attached sample SMS screenshots) to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s & Cloudflare sign-in page.

The text messages originated from U.S. carrier networks. The phishing page was hosted on DigitalOcean and looked like this:

Sample Img Cloudflare Phishing

Sample Image Cloudflare Phishing Page

Summary

The methods used by this threat actor are not unique by any means, but the planning and how the attacker pivoted from one company to another makes the phishing campaign worth looking into. This showcases how vulnerable modern organizations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their employees, customers, and partners.

About AccuKnox

AccuKnox‘s Zero Trust Cloud Native Application Protection Platform (CNAPP) is built in partnership with SRI (Stanford Research Institute) and is anchored on seminal patented inventions in the areas of Container Security, Anomaly Detection, and Data Provenance. AccuKnox delivers comprehensive Zero Trust security for Networks, Applications (K8, VM), and Data across Cloud, IoT/Edge, and 5G environments, and AccuKnox can be deployed in Public and Private Cloud environments. AccuKnox is a core contributor to the Kubernetes Runtime Security platform, and AccuKnox’s CNCF project, KubeArmor, has received 180,000+ downloads. Visit www.accuknox.com or follow us on Twitter (@accuknox).

AccuKnox Open Source and Enterprise platforms are depicted below:

AccuKnox Open Source and Enterprise platforms