Cloudflare breached on Thanksgiving Day, but the attack was promptly contained
February 02, 2024
Cloudflare revealed that a nation-state actor breached its internal Atlassian server, gaining access to the internal wiki and its bug database (Atlassian Jira).
The incident took place on Thanksgiving Day, November 23, 2023, and Cloudflare immediately began an investigation with the help of CrowdStrike. The company pointed out that no customer data or systems were impacted by this security breach.
Cloudflare disclosed today that its internal Atlassian server was breached by a suspected ‘nation-state attacker’ who accessed its Confluence wiki, Jira bug database, and Bitbucket source code management system.
The nation-state actor first gained access to the company’s Atlassian server on November 14 and then accessed the Confluence and Jira systems.
“From November 14 to 17, a threat actor did reconnaissance and then accessed our internal wiki (which uses Atlassian Confluence) and our bug database (Atlassian Jira). On November 20 and 21, we saw additional access indicating they may have come back to test access to ensure they had connectivity.” reads the blog post published by the company. “They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.”
The threat actor also attempted to gain access to a console server in a new company’s data center in São Paulo, but all attempts failed.
The investigation revealed that the attackers used one access token and three service account credentials that were obtained in Okta compromise of October 2023. Cloudflare admitted having failed to rotate these authentication elements.
The company locked out the threat actor on November 24 and CrowdStrike confirmed that the threat was completely eradicated.
To prevent the attacker from using the obtained technical information, Cloudflare rotated every production credential (more than 5,000 individual credentials), physically segmented test and staging systems, performed forensic triages on 4,893 systems, reimaged and rebooted every machine in its global network including all the systems that were accessed by the intruders.
“This was a security incident involving a sophisticated actor, likely a nation-state, who operated in a thoughtful and methodical manner. The efforts we have taken ensure that the ongoing impact of the incident was limited and that we are well-prepared to fend off any sophisticated attacks in the future.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Okta)