Cloudflare just detailed how a suspected government spy gained access to its internal installation of Atlassian using credentials stolen in a security breach at Okta in October.
CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas said in a Thursday article that the Atlassian intrusion was detected as far back as Thanksgiving, November 23, 2023, and the intruders were removed the following day. He said that .
October's Okta breach involved more than 130 customers of the IT access management business, and snoops swiped data from Okta in hopes of further infiltrating these organizations. In 2022, another intrusion by Okta occurred, so Cloudflare was one of the companies affected.
Cloudflare admitted in October that it was involved in Okta's latest security meltdown, and is now disclosing more details about what happened.
According to Prince, the intruders are likely agents of nation-states. other – 1 service token and 3 service account credentials obtained through the 2023 Okta breach. At the time, Okta suggested that the information stolen from its customer support system was very benign and could be used for things like phishing and social engineering attacks. It turns out that session tokens that allow access to networks like Cloudflare had been stolen from Okta's systems.
“One of them was the Moveworks service token, which allows remote access to Atlassian systems,” Prince, Graham Cumming and Burzikas said in this regard.
“The second credential was a service account used by a SaaS-based Smartsheet application with administrative access to an Atlassian Jira instance. The third account was a Bitbucket account used to access the source code control system. The fourth credential was a service account. The AWS environment had no access to the global network and no customer or sensitive data.”
Cloudflare was unable to rotate these tokens because it incorrectly believed them to be unused. Therefore, the thief was able to use them to access her Cloudflare system.
From November 14, 2023 to November 17, 2023, intruders appeared to be probing Cloudflare's systems, conducting reconnaissance through an internal Confluence-based wiki and Jira bug database.
Further access was detected on November 20th and 21st, after which a persistent presence was established on the cloud company's Atlassasian servers via ScriptRunner for Jira. With administrative access to Jira via the Smartsheet service, Snoop was able to install the Sliver Adversary Emulation Framework, a common tool for command-and-control connectivity and backdoor access.
The intruders also gained access to Cloudflare's Bitbucket source code management system, but were unsuccessful in accessing a console server linked to a not yet operational data center in São Paulo, Brazil.
According to the cloud giant, the intruders combed industry wikis for information about remote access, secrets, and tokens. Also of interest are his 36 Jira tickets out of over 2 million Jira tickets focused on vulnerability management, secret rotation, multi-factor authentication bypass, network access, and even the industry's response to his Okta incident. It was something.
This attack was carried out by a nation-state actor with the goal of gaining persistent and widespread access to Cloudflare's global network.
The spy's interest in secrecy was evidenced by his viewing of 120 Bitbucket code repositories out of a total of approximately 12,000. Approximately 76 of the 120 were downloaded to Atlassian's servers. Cloudflare is not sure if these were leaked, but they are treating them as such. These repositories were primarily related to backup mechanisms, global network configuration and management, identity, remote access, Terraform and Kubernetes. According to a major US CDN, some contained encrypted secrets that were quickly rotated despite being strongly encrypted.
“While we understand the operational impact of this incident to be very limited, the attackers used stolen credentials to access our Atlassian servers and retrieve some documents and a limited amount of Because we had access to the source code, we took this incident very seriously,” the prince said. other.
“Based on our collaboration with industry and government colleagues, we believe this attack was carried out by a nation-state actor intent on gaining persistent and pervasive access to Cloudflare's global network.”
By November 24, 2023, Cloudflare was able to successfully expel the attacker and began assessing the damage and investigating what happened. Three days later, a company-wide remediation effort known as “Code Red” became the focus of many technical staff. The project was supported by external security firm CrowdStrike, which conducted an independent assessment of the cyber attack.
Code Red ended on January 5, 2024, but according to Prince, Graham-Cumming, and Burzikas, “work continues across the company with a focus on credential management, software hardening, vulnerability management, and additional alerting.” It continues.'' ®