Cloudflare sheds more light on Thanksgiving security breach in which tokens, source code accessed by suspected spies

Trending 4 weeks ago

Cloudflare has conscionable elaborate really suspected authorities spies gained entree to its soul Atlassian installation utilizing credentials stolen via a information breach astatine Okta successful October.

In a write-up connected Thursday, CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas said nan Atlassian intrusion was detected each nan measurement backmost connected Thanksgiving Day, November 23, 2023, and that nan trespassers were ejected nan pursuing day.

The October Okta information breach progressive much than 130 customers of that IT entree guidance biz, successful which snoops swiped information from Okta successful dream of drilling further into those organizations. Cloudflare was among those affected, arsenic it was successful 2022 arsenic a consequence of a abstracted Okta intrusion.

Cloudflare acknowledged successful October it was caught up successful Okta's latest information meltdown, and is now disclosing much specifications astir what happened.

The intruders – apt agents of a federation state, according to Prince et al – obtained 1 work token and 3 work relationship credentials done that 2023 Okta compromise. At nan time, Okta indicated that accusation stolen from its customer support systems was beautiful benign, and could beryllium utilized successful things for illustration phishing aliases societal engineering attacks. It turns retired that convention tokens, granting entree into networks of nan likes of Cloudflare, were taken from Okta's systems.

"One was a Moveworks work token that granted distant entree into our Atlassian system," said Prince, Graham-Cumming, and Bourzikas connected that note.

"The 2nd credential was a work relationship utilized by nan SaaS-based Smartsheet exertion that had administrative entree to our Atlassian Jira instance, nan 3rd relationship was a Bitbucket work relationship which was utilized to entree our root codification guidance system, and nan 4th was an AWS situation that had nary entree to nan world web and nary customer aliases delicate data."

Because Cloudflare incorrectly believed those tokens were unused, it grounded to rotate them. So nan thief aliases thieves were capable to usage them to summation entree to Cloudflare's systems.

  • Okta information breach dilemma dwarfs earlier estimates
  • Okta October breach affected 134 orgs, biz admits
  • Cloudflare exiles baseboard guidance controller from its server motherboards
  • Cloudflare defends firing of staffer for reasons HR could not explain

From November 14, 2023 done November 17, 2023, nan intruders look to person been probing Cloudflare's systems, doing reconnaissance done its Confluence-based soul wiki, and its Jira bug database.

Further accesses were detected connected November 20 and 21, pursuing by nan constitution of a persistence beingness successful nan unreality corp's Atlassasian server via ScriptRunner for Jira. Having administrative entree to Jira via nan Smartsheet service, nan snoops were capable to instal nan Sliver Adversary Emulation Framework, a communal instrumentality for command-and-control connectivity and backdoor access.

The intruders besides gained entree to Cloudflare's Bitbucket root codification guidance system, but efforts to entree a console server linked to a not-yet-active datacenter successful São Paulo, Brazil failed.

The intruders, according to nan unreality giant, scoured nan biz's wiki for accusation astir distant access, secrets, and tokens. Also of liking were 36 Jira tickets, retired of much than 2 million, that focused connected vulnerability management, concealed rotation, multi-factor authentication bypass, web access, and moreover nan biz's consequence to nan Okta incident.

This onslaught was performed by a nation-state attacker pinch nan extremity of obtaining persistent and wide entree to Cloudflare’s world network

The spies' liking successful secrets was besides evident successful nan 120 Bitbucket codification repositories viewed retired of a full of almost 12,000. Some 76 of nan 120 were downloaded to nan Atlassian server. While Cloudflare is uncertain whether these were exfiltrated, it's treating them arsenic such. These repos were mostly related to nan measurement backups work, world web configuration and management, identity, distant access, and Terraform and Kubernetes. A fewer contained encrypted secrets and those were instantly rotated moreover though they were powerfully encrypted, according to nan US CDN giant.

"Even though we understand nan operational effect of nan incident to beryllium highly limited, we took this incident very earnestly because a threat character had utilized stolen credentials to get entree to our Atlassian server and accessed immoderate archiving and a constricted magnitude of root code," said Prince et al.

"Based connected our collaboration pinch colleagues successful nan manufacture and government, we judge that this onslaught was performed by a nation-state attacker pinch nan extremity of obtaining persistent and wide entree to Cloudflare’s world network."

Cloudflare managed to expel nan attackers by November 24, 2023, and group astir assessing nan harm and investigating what happened. Three days later, a company-wide remediation effort dubbed "Code Red" became nan attraction of overmuch of its method staff. And this task was assisted by outer information patient Crowdstrike, which carried retired an independent appraisal of nan cyber-assault.

Code Red concluded connected January 5, 2024, but according to Prince, Graham-Cumming, and Bourzikas "work continues crossed nan institution astir credential management, package hardening, vulnerability management, further alerting, and more." ®