Cloudflare was a sufferer of the wide-ranging Okta supply-chain marketing campaign final fall, with a knowledge breach impacting its Atlassian Bitbucket, Confluence, and Jira platforms starting on Thanksgiving Day.
“Primarily based on our collaboration with colleagues within the business and authorities, we imagine that this assault was carried out by a nation-state attacker with the purpose of acquiring persistent and widespread entry to Cloudflare’s world community,” the Web safety and DDoS safety firm mentioned in a weblog on the Okta-related cyber incident, revealed yesterday.
Cyberattackers Seemed for Lateral Motion Choices
Cloudflare labored with CrowdStrike and was capable of decide that, after preliminary reconnaissance work, cyberattackers accessed its inner wiki (Confluence) and bug database (Jira) earlier than establishing persistence on its Atlassian server. From there, the perpetrators poked round for locations to pivot into, efficiently puddle-hopping into the Cloudflare supply code administration system (Bitbucket) and an AWS occasion.
The evaluation confirmed that the cyberattackers had been “on the lookout for details about the configuration and administration of our world community, and accessed numerous Jira tickets … regarding vulnerability administration, secret rotation, MFA bypass, community entry, and even our response to the Okta incident itself.”
However they had been largely shut out of different techniques they tried, like a console server that had entry to a dormant knowledge heart in São Paulo.
In all, the unknown assailants “accessed some documentation and a restricted quantity of supply code,” however no buyer knowledge or techniques, in accordance with Cloudflare, due to community segmentation and the implementation of a zero-trust authentication strategy that restricted lateral motion.
Nonetheless, the agency erred on the aspect of warning: “We undertook a complete effort to rotate each manufacturing credential (greater than 5,000 particular person credentials), bodily phase check and staging techniques, carried out forensic triages on 4,893 techniques, reimaged and rebooted each machine in our world community together with all of the techniques the risk actor accessed and all Atlassian merchandise (Jira, Confluence, and Bitbucket).”
“This…assault on one of many largest [software-as-a-service] firms…severely highlights the dangers of provide chain assaults,” says Tal Skverer, analysis crew lead for Astrix Safety. “On this breach, we once more see how non-human entry is abused by attackers to attain excessive privilege entry to inner techniques which matches unmonitored. We additionally see how attackers are focusing on each cloud, SaaS and likewise on-prem options to increase their entry.”
But One other Okta Breach Sufferer
In October, Okta, the id and entry administration companies supplier, disclosed that its buyer help case administration system was compromised, exposing delicate buyer knowledge together with cookies and session tokens, usernames, emails, firm names, and extra. Initially the corporate mentioned that lower than 1% of its clients had been affected (134 in all), however in late November the corporate widened the quantity to a staggering 100%.
“They [achieved compromise] by utilizing one entry token and three service account credentials that had been taken, and that we didn’t rotate, after the Okta compromise of October 2023,” in accordance with Cloudflare. “All risk actor entry and connections had been terminated on November 24 and CrowdStrike has confirmed that the final proof of risk exercise was on November 24 at 10:44.”
An Okta spokesperson tells Darkish Studying: “This isn’t a brand new incident or disclosure on the a part of Okta. On Oct. 19, we notified clients, shared steering to rotate credentials, and offered indicators of compromise (IoCs) associated to the October safety incident. We won’t touch upon our clients’ safety remediations.”
