Cloudflare has announced that its internal Atlassian server was breached by a ‘nation state attacker’. Hacker performing the Cloudflare hack gained unauthorized access to Cloudflare’s Confluence wiki, Jira bug database, and Bitbucket source code management system.
The Cloudflare breach occurred on November 14, after the threat actor successfully infiltrated Cloudflare’s self-hosted Atlassian server. Following this initial breach, the attacker proceeded to access the company’s Confluence and Jira systems after conducting a reconnaissance phase.
“They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil,”
CTO John Graham-Cumming, Cloudflare CEO Matthew Prince and CISO Grant Bourzikas in their statement.
Hackers Used Access Tokens and Stolen Credentials from the OKTA Breach
The attackers utilized an access token and three service account credentials that were stolen during a prior compromise related to Okta’s breach in October 2023. It is important to note that Cloudflare failed to rotate these credentials, even though thousands were leaked during the Okta breach.
Cloudflare detected the unauthorized activity on November 23 and promptly terminated the attacker’s access on the morning of November 24. Three days later, on November 26, the company’s cybersecurity forensics specialists initiated an investigation into the incident.
Cloudflare Hack Response
Cloudflare’s response to the Cloudflare Hack involved a comprehensive set of actions. They promptly rotated all production credentials, which amounted to over 5,000 unique credentials. Additionally, they took measures to physically segregate their test and staging systems.
To assess the impact of the breach, Cloudflare’s forensic experts conducted triage on 4,893 systems. As a precautionary measure, all systems on the company’s global network, including their Atlassian servers (Jira, Confluence, and Bitbucket) and machines accessed by the attacker, were reimaged and rebooted.
The threat actors also attempted to breach Cloudflare’s data center in São Paulo, which was not yet operational. Fortunately, these attempts were unsuccessful. To ensure the utmost security, all equipment in the Brazil data center was returned to the manufacturers.
Cloudflare completed their remediation efforts on January 5th. However, the company continues to focus on further strengthening their software, as well as managing credentials and vulnerabilities. It’s important to note that this breach did not have any impact on Cloudflare customer data or systems.
Their services, global network systems, and configurations remained unaffected throughout the incident. Cloudflare remains committed to ensuring the utmost security for their customers.
“Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker to obtain persistent and widespread access to Cloudflare’s global network.
“Analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears they were looking for information about the architecture, security, and management of our global network; no doubt with an eye on gaining a deeper foothold.”
Said Prince, Graham-Cumming, and Bourzikas.
About Cloudflare Hack and OKTA Breach
Cloudflare experienced a security breach on October 18, 2023, when hackers obtained an authentication token from Okta’s support system. This unauthorized access allowed the hackers to access files belonging to 134 customers, including 1Password, BeyondTrust, and Cloudflare itself.
However, Cloudflare’s Security Incident Response Team promptly responded to the incident, containing and minimizing the impact on their systems and data. Importantly, no Cloudflare customer information or systems were compromised during this breach.
In a separate incident in August 2022, Cloudflare successfully thwarted an attempted breach. Attackers had stolen employee credentials through a phishing attack but were unable to proceed due to the lack of access to the victims’ company-issued FIDO2-compliant security keys. This additional layer of security proved effective in preventing unauthorized access to Cloudflare’s systems.