Wednesday, June 19, 2024

Cloudflare Server Compromised Due to Leaked Access Token in Okta Breach

On November 23, 2023, Cloudflare detected a threat actor on the self-hosted Atlassian server. The attack was initiated using a single stolen access token and three compromised service account credentials, which were kept the same after the Okta compromise in October 2023.

The security team sought assistance from CrowdStrike’s Forensic team to investigate the security breach. On November 24, all connections and access privileges for the malicious actors were terminated.

“We want to emphasize to our customers that no Cloudflare customer data or systems were impacted by this event,” according to Cloudflare’s blog.

“We took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code.”

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Overview of the Incident

Threat actors were surveyed from November 14 to November 17. Following this, they gained access to the organization’s internal wiki, which was powered by Atlassian Confluence, and their bug database, which Atlassian Jira powered.

It was detected that on November 20 and 21, some unauthorized access was made to the system, which suggests that the intruders returned to test the connectivity. On November 22, they made a second visit and used ScriptRunner for Jira to gain persistent access to the Atlassian server.

The intruders managed to gain entry to the Atlassian Bitbucket source code management system. Additionally, they attempted to breach a console server connected to Cloudflare’s data center in São Paulo, Brazil. However, they failed to infiltrate the server as it was still in the testing phase.

“We failed to rotate one service token and three service accounts (out of thousands) of credentials that were leaked during the Okta compromise,” the company said.

A Moveworks service token can be used to access the Atlassian system remotely. In addition, a service account with administrative access to the Atlassian Jira instance is utilized by the SaaS-based Smartsheet application as a second credential.

The third credential was a Bitbucket service account used to access our source code management system. The fourth was an AWS environment with no access to the global network and no customer or sensitive data.

According to reports, the attack was likely carried out by a nation-state attacker seeking continuous, broad access to Cloudflare’s global network.

After analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears that they were searching for information about the company’s global network architecture, security, and management, possibly to gain a stronger foothold.

Over 130 IT access management business clients were affected by the Okta security breach in October, which included Cloudflare, and were impacted again in 2022 due to another Okta intrusion.

Remediation Effort

The company focused a significant portion of its technical staff, both inside and outside of the security team, on a single project – addressing the incident known as “Code Red.” 

As part of their efforts, they undertook a comprehensive process. This included rotating more than 5,000 individual credentials, physically segmenting test and staging systems, performing forensic triages on 4,893 systems, and reimaging and rebooting every machine in their global network, including all Atlassian products (Jira, Confluence, and Bitbucket) and all systems that the threat actor accessed. 

The primary goals of this effort were to confirm that the threat actor could not gain entry into the environment and to ensure that all controls were strengthened, verified, and corrected.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles