Cloudflare, a firm that offers a broadband network, revealed on Monday that at least 35 of its staff members and the relatives of those employees received messages on their personal and professional cell phones that contained qualities similar to those of the sophisticated phishing attack against the Twilio company.
The failed attempt at hacking, which happened around the time Twilio was hacked, originated from 3 telephone numbers that were joined with SIM cards that T-Mobile supplied. In the end, the endeavor was unsuccessful.
The purpose of the SMS messages was to deceive the employees into handing out their login information by pointing them to a website that appeared to be real and contained the keywords “Cloudflare” and “Okta” in the domain.
The management believes that the movement of over 50 phishing SMSs started just under half an hour, just after the phishing web address was authorized via GoDaddy. The company also mentioned that the phishing fake authentication server was intended to transmit the username and password inputted by unnamed representatives to the hackers via the Telegram messaging service in real-time.
Because their system used one-time passwords, their assault might circumvent the security provided by two-factor authentication (TOTP). The codes that were inputted on the phony login page were going to broadcast in an analog system, allowing the adversary to sign in with the stolen credentials and “TOTPs” they would obtain.
Cloudflare reported that 4 of its workers fell for the phishing attempt. Still, the company also mentioned that it was able to safeguard its internal network from being hacked by using FIDO2-compliant hardware security keys that were required for accessing its security mechanisms.
“Even an advanced, serious malware attempt like this one will not obtain the data needed to sign into any of our systems because the complicated keys are distinctively given to customers and incorporate origin linking among them,” a representative from Cloudflare added.
“Even though the hackers tried to enter in to our systems using the stolen usernames and passwords details, they were unable to get beyond the hard central component.”
In addition to that, these assaults did not stop at simply collecting the credentials and the TOTP codes. The phishing website was programmed to run AnyDesk’s remote management application (RMT) automatically if an individual were to get beyond the registration step. If it were to be placed on a piece of equipment, this application might be used to control the target system completely.
Following the conclusion of the cyberattack, the employees’ smartphones were sent the final message, which bore the signature of one of the cybercriminals and stated, “This is simply a beginning. – Awaken Cybers squad”.
In addition to working with DigitalOcean to bring down the computer that the hackers were using, the company stated that it had changed the login details of the employees who had been targeted and that it is strengthening its connectivity implementation to safeguard against any login information from unidentified VPNs, their proxy servers, reviews, and complete infrastructure supplier information.
This new development comes just a few days after Twilio claimed that unidentified hackers were successfully stealing the login information of a specific amount of their staff members and were given illegal entry to the internal company system applications. The hackers then used this access to get inside the accounts of Twilio’s customers.
After researching the purported hackers working with AwakenCybers, we discovered that the company offers its hacking skills for a price. (Information obtained from awakencybers.com news page, the band’s official website) Now the problem is, was this attack paid for, or did they do it on their own accord? The answer to this mystery remains a mystery.