Internet infrastructure firm Cloudflare on Monday disclosed at least 35 employees and their family members got text messages delivered on their personal and work cell phones containing similar characteristics as that of the adept phishing attack against Twilio company.
The hacking attempt, which occurred around the same time Twilio was attacked, came from three phone numbers jointed with T-Mobile-issued SIM cards and was unsuccessful at the end.
The SMS messages pointed to a apparently legitimate domain containing the keywords “Cloudflare” & “Okta” in an aim to trick the employees into passing over their login credentials.
The wave of over 50 smishing SMS’s initiated less than half an hour after the phishing domain was registered via GoDaddy, the company noted, adding the phishing fake login page was designed to relay the login-details entered by unsuspecting members to the hackers via Telegram messaging app in real-time.
This also meant that their attack could defeat 2FA security, as their system operates via One Time Password (TOTP). Codes inputted on the fake login page were about to transmit in an analogous system, enabling the opponent to sign-in using the stolen passwords they would get and “TOTPs”.
Cloudflare claimed four of their employees fell for the phishing attack, but noted that they were able to prevent its internal systems from being hacked through the use of FIDO2-compliant physical security keys needed to access their security applications.
“Since the complex keys are uniquely given to users and implement origin linking between them, even a sophisticated, real-time phishing attempt like this cannot gain the information required to log in to any of our systems,” Cloudflare representative added.
“While the hackers attempted to login to our systems with the compromised username and password credentials, they could not get past the hard key requirement.”
What’s more, these attacks didn’t just stop at gathering the credentials and TOTP codes. Should an employee get past the login step, the phishing page was coded to automatically download AnyDesk’s remote administration application (RAT), which, if installed on a hardware, could be used to fully manage the victim’s system.
After the attack ended, the employees got a final message to their devices with a signature by a hackers, saying “This is only a beginning. – Awaken Cybers team”.
Besides working with DigitalOcean to shut down the hackers’ server, the company also said it reset the passwords of the targeted employees and that it’s tightening up its access implementation to prevent any logins from unknown VPNs, their proxies, and complete infrastructure providers information.
The development comes few days after Twilio claimed that unknown hackers succeeded in phishing the credentials of a certain number of their employees and granted unauthorized access to the company’s internal systems, using it to get inside of their users’ accounts.
After doing a research about so called AwakenCybers hackers, we have found out from the media that they are doing hacking services for a fee. (Source: their website – awakencybers.com & their clients’ reviews) Now the question is, was this a paid attack, or they did it on their own decision, it’s still unknown.