Cloudflare disclosed that last November it was preyed on by suspected foreign government spies during a broad Okta supply-chain breach in which the attacker(s) used stolen credentials.
The attacker struck its Confluence and Jira platforms before settling in on persistence in its Atlassian server. It was the second time Cloudflare was victimized stemming from the compromise of Okta’s systems last October.
The Scope of the New Cloudflare Incident
No customer data was affected nor were any services implicated, and no changes were made to its global network systems or configuration, Cloudflare said. The company credited its access controls, firewall rules and hard security keys via its own zero trust tools that limited the threat actor’s ability to move laterally in its systems.
Still, the attackers came away with “some documentation and a limited amount” of source code.
“Even though we understand the operational impact of the incident to be extremely limited, we took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code,” Cloudflare said in a blog post authored by chief executive Matthew Prince, chief technology officer John Graham-Cumming and chief information security officer Grant Bourzikas.
Prince, Graham-Cumming and Bourzikas said that the company had failed to rotate one stolen access token and three service account credentials that had been lifted following the Okta breach in October, 2023.
Background on the Cloudflare Breach
The web and DDoS protector said that it first discovered the breach on November 23, 2003. Three days later, Cloudflare brought in CrowdStrike’s forensic team for an independent analysis, as part of a company-wide effort called “Code Red” that consumed much of its technical staff's time.
An investigation did not reveal any data in addition to that compiled in Cloudflare’s internal examination.
"Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation-state attacker with the goal of obtaining persistent and widespread access to Cloudflare's global network," Cloudflare said in the blog post.
From November 14 to 17, the threat actor conducted reconnaissance and then accessed Cloudflare’s corporate wiki, which uses Atlassian Confluence and its bug database Atlassian Jira.
The threat actor searched the wiki for “things like remote access, secret, client-secret, openconnect, cloudflared, and token,” Cloudflare said. In total, the attackers accessed 36 Jira tickets out of two million and 202 wiki pages out of 194,100.
“The wiki searches and pages accessed suggest the threat actor was very interested in all aspects of access to our systems: password resets, remote access, configuration, our use of Salt, but they did not target customer data or customer configurations,” Cloudflare said.
The Hackers Return
On November 20 and 21, 2023, Cloudflare found evidence of additional access that the cyber crew may have returned to “test access to ensure they had connectivity,” Cloudflare said.
The hackers then returned on November 22 and established “persistent access to our Atlassian server” and were able to access Cloudflare’s source code management system. An attempt to access a console server connected to the company’s data center in Brazil that had not yet been put into production failed.
“The efforts we have taken ensure that the ongoing impact of the incident was limited and that we are well-prepared to fend off any sophisticated attacks in the future,” Cloudflare said.
Two months ago, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory that said Atlassian had released security updates to address vulnerabilities affecting multiple Atlassian products.
