Cloudflare Falls Victim to Cyberattack Leveraging Credentials from Okta Breach

Post Reply
evgeni22
Site Admin
Posts: 11
Joined: Mon Oct 30, 2023 4:51 pm

Cloudflare Falls Victim to Cyberattack Leveraging Credentials from Okta Breach

Post by evgeni22 »

Cloudflare disclosed a security breach today, revealing that a suspected nation-state attacker infiltrated its internal Atlassian server.

The attack, which began on November 14, compromised Cloudflare’s Confluence wiki, Jira bug database, and Bitbucket source code management system.

How did attackers first gain access to Cloudflare’s systems?
The attackers first accessed Cloudflare’s Atlassian server on November 14, engaging in reconnaissance before returning on November 22 to establish persistent access.

They used ScriptRunner for Jira and accessed Cloudflare’s Bitbucket source code management system.

Efforts to access a console server connected to an unlaunched data center in São Paulo, Brazil, were unsuccessful.

What methods did the attackers use to compromise Cloudflare’s security?
The attackers used one access token and three service account credentials previously stolen during Okta’s October 2023 breach.

Cloudflare detected the malicious activity on November 23 and swiftly severed the hacker’s access by the morning of November 24.

The Okta breach
The Okta breach in 2023 was caused by the compromise of an Okta customer support engineer’s account.

This breach was attributed to a sophisticated phishing campaign targeted at the support engineer.

The attackers, after gaining access to the support engineer’s account, could potentially view and perform actions within the Okta accounts of multiple Okta customers.

How did the company respond?
Cloudflare’s cybersecurity team initiated an investigation on November 26.

The company rotated over 5,000 production credentials, conducted a forensic triage of 4,893 systems, and rebooted its global network, including all Atlassian servers.

Cloudflare returned the equipment from its Brazil data center to manufacturers for security assurance.

The remediation efforts concluded on January 5, with Cloudflare actively enhancing software hardening, credential, and vulnerability management.

Bleeping Computer reports that Cloudflare’s Okta instance experienced a breach on October 18, 2023, affecting 134 customers. Cloudflare successfully contained that incident, ensuring no compromise of customer data.

Cloudflare’s CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas say that the breach had limited operational impact but was taken seriously due to the sensitive access obtained by the attackers.

The company asserts that the attack aimed to gain widespread access to Cloudflare’s global network, yet confirms the security of its customer data and systems:

Even though we understand the operational impact of the incident to be extremely limited, we took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code,
Post Reply