Cloudflare disclosed in the present day that its inner Atlassian server was breached by a suspected ‘nation state attacker’ who accessed its Confluence wiki, Jira bug database, and Bitbucket supply code administration system.
The risk actor first gained entry to Cloudflare’s self-hosted Atlassian server on November 14 after which accessed the corporate’s Confluence and Jira techniques following a reconnaissance stage.
“They then returned on November 22 and established persistent entry to our Atlassian server utilizing ScriptRunner for Jira, gained entry to our supply code administration system (which makes use of Atlassian Bitbucket), and tried, unsuccessfully, to entry a console server that had entry to the information middle that Cloudflare had not but put into manufacturing in São Paulo, Brazil,” stated Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas,
To entry its techniques, the attackers used one entry token and three service account credentials stolen throughout a earlier compromise linked to Okta’s breach from October 2023 that Cloudflare did not rotate (out of 1000’s had been leaked throughout the Okta compromise).
Cloudflare detected the malicious exercise on November 23, severed the hacker’s entry within the morning of November 24, and its cybersecurity forensics specialists started investigating the incident three days later, on November 26.
Whereas addressing the incident, Cloudflare’s workers rotated all manufacturing credentials (over 5,000 distinctive ones), bodily segmented check and staging techniques, carried out forensic triage on 4,893 techniques, reimaged and rebooted all techniques on the corporate’s international community, together with all Atlassian servers (Jira, Confluence, and Bitbucket) and machines accessed by the attacker.
The risk actors additionally tried hacking into Cloudflare’s information middle in São Paulo—which is not but utilized in manufacturing—however these makes an attempt failed. All gear in Cloudflare’s Brazil information middle was later returned to the producers to make sure that the information middle was 100% safe.
Remediation efforts ended nearly one month in the past, on January fifth, however the firm says that its workers remains to be engaged on software program hardening, in addition to credential and vulnerability administration.
The corporate says that this breach didn’t impression Cloudflare buyer information or techniques; its companies, international community techniques, or configuration had been additionally unaffected.
“Although we perceive the operational impression of the incident to be extraordinarily restricted, we took this incident very critically as a result of a risk actor had used stolen credentials to get entry to our Atlassian server and accessed some documentation and a restricted quantity of supply code,” stated Prince, Graham-Cumming, and Bourzikas.
“Primarily based on our collaboration with colleagues within the trade and authorities, we consider that this assault was carried out by a nation state attacker with the purpose of acquiring persistent and widespread entry to Cloudflare’s international community.
“Analyzing the wiki pages they accessed, bug database points, and supply code repositories, it seems they had been searching for details about the structure, safety, and administration of our international community; little doubt with an eye fixed on gaining a deeper foothold.”
On October 18, 2023, Cloudflare’s Okta occasion was breached utilizing an authentication token stolen from Okta’s assist system. The hackers who breached Okta’s buyer assist system additionally gained entry to recordsdata belonging to 134 prospects, together with 1Password, BeyondTrust, and Cloudflare.
After the October 2023 incident, the corporate stated that its Safety Incident Response Crew’s fast response contained and minimized the impression on Cloudflare techniques and information and that no Cloudflare buyer data or techniques had been impacted.
One other try to breach Cloudflare’s techniques was blocked in August 2022 after attackers tried utilizing worker credentials stolen in a phishing assault however failed as a result of they did not have entry to the victims’ company-issued FIDO2-compliant safety keys.
