Cloudflare Server Compromised Due to Leaked Access Token in Okta Breach

On November 23, 2023, Cloudflare detected a threat actor on the self-hosted Atlassian server. The attack was initiated using a single stolen access token and three compromised service account credentials, which were kept the same after the Okta compromise in October 2023.

The security team sought assistance from CrowdStrike’s Forensic team to investigate the security breach. On November 24, all connections and access privileges for the malicious actors were terminated.

“We want to emphasize to our customers that no Cloudflare customer data or systems were impacted by this event,” according to Cloudflare’s blog.

- Advertisement -

“We took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code.”

Overview of the Incident

Threat actors were surveyed from November 14 to November 17. Following this, they gained access to the organization’s internal wiki, which was powered by Atlassian Confluence, and their bug database, which Atlassian Jira powered.

It was detected that on November 20 and 21, some unauthorized access was made to the system, which suggests that the intruders returned to test the connectivity. On November 22, they made a second visit and used ScriptRunner for Jira to gain persistent access to the Atlassian server.

The intruders managed to gain entry to the Atlassian Bitbucket source code management system. Additionally, they attempted to breach a console server connected to Cloudflare’s data center in São Paulo, Brazil. However, they failed to infiltrate the server as it was still in the testing phase.

“We failed to rotate one service token and three service accounts (out of thousands) of credentials that were leaked during the Okta compromise,” the company said.

A Moveworks service token can be used to access the Atlassian system remotely. In addition, a service account with administrative access to the Atlassian Jira instance is utilized by the SaaS-based Smartsheet application as a second credential.

The third credential was a Bitbucket service account used to access our source code management system. The fourth was an AWS environment with no access to the global network and no customer or sensitive data.

According to reports, the attack was likely carried out by a nation-state attacker seeking continuous, broad access to Cloudflare’s global network.

After analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears that they were searching for information about the company’s global network architecture, security, and management, possibly to gain a stronger foothold.

Over 130 IT access management business clients were affected by the Okta security breach in October, which included Cloudflare, and were impacted again in 2022 due to another Okta intrusion.

Remediation Effort

The company focused a significant portion of its technical staff, both inside and outside of the security team, on a single project – addressing the incident known as “Code Red.” 

As part of their efforts, they undertook a comprehensive process. This included rotating more than 5,000 individual credentials, physically segmenting test and staging systems, performing forensic triages on 4,893 systems, and reimaging and rebooting every machine in their global network, including all Atlassian products (Jira, Confluence, and Bitbucket) and all systems that the threat actor accessed. 

The primary goals of this effort were to confirm that the threat actor could not gain entry into the environment and to ensure that all controls were strengthened, verified, and corrected.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.