Cloudflare announced it detected unauthorized access to their self-hosted Atlassian server, resulting in a limited-scope data breach.
Cloudflare is a major tech company offering services like a content delivery network (CDN) and DDoS protection. It serves a broad client base, from individual bloggers to large enterprises, enhancing web performance and security.
The incident Cloudflare disclosed via a blog post yesterday is traced back to an October 2023 Okta compromise, which affected the digital identity firm’s customer support management system. That incident involved a threat actor accessing and downloading a report containing names, email addresses, an other data that put Okta administrator accounts at severe risk.
The attack on Cloudflare involves a threat actor conducting reconnaissance on its systems between November 14 and 17, 2023. According to the results of the investigation, which was completed yesterday, the intruder gained access to Cloudflare’s internal wiki and bug database, accessed the source code management system, and also attempted to access a console server.
“From November 14 to 17, a threat actor did reconnaissance and then accessed our internal wiki (which uses Atlassian Confluence) and our bug database (Atlassian Jira). On November 20 and 21, we saw additional access indicating they may have come back to test access to ensure they had connectivity.
They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.”
Cloudflare
Access logs showed that the attacker’s actions were made possible by using a single access token and three service account credentials stolen from the Okta breach, which Cloudflare had failed to rotate quickly enough.
Cloudflare says that despite the attacker’s seemingly extensive activities throughout the said three-day period, their movements in the company’s network were restricted thanks to security systems in place and eventually terminated on November 24. Cloudflare attributed the incident to a sophisticated nation-state actor, emphasizing the meticulous and methodical approach of the attacker.
In response to this significant breach, Cloudflare launched a “Code Red” effort, mobilizing extensive resources to fortify security, scrutinize accessed systems, and implement sweeping credential rotations and system hardening.
Despite the limited scope of the intrusion, Cloudflare undertook rigorous measures to eliminate any potential vulnerabilities or remnants of the attack the threat actor could use to regain access, even replacing hardware in a São Paulo data center as a precaution. CrowdStrike’s independent investigation corroborated Cloudflare’s findings, confirming that the threat actor’s activities were confined to the Atlassian environment that was recognized as breached.
Cloudflare shared indicators of compromise (IoCs) to assist other Okta clients in detecting similar activity, but based on the gathered evidence, it is unable to attribute the attack to a known/documented threat group.