Cloudflare's Server Hacked Using Leaked Access Token in Okta Breach
Cloudflare discovered a threat actor on the self-hosted Atlassian server on November 23, 2023. The attack became once launched with the exhaust of one stolen fetch entry to token and three compromised service memoir credentials that had been pushed apart to commerce following the October 2023 Okta compromise.
To evaluate the incident, the protection group engaged the aid of CrowdStrike’s Forensic group. On November 24, all connections and fetch entry to for threat actors had been decrease off.
“We desire to stress to our customers that no Cloudflare buyer records or systems had been impacted by this tournament,” essentially based mostly on Cloudflare’s weblog.
AI-Powered Security for Exchange Electronic mail Security
Trustifi’s Evolved threat protection prevents the widest spectrum of refined attacks forward of they reach a individual’s mailbox. Are trying Trustifi Free Threat Scan with Refined AI-Powered Electronic mail Security .
“We took this incident very severely on memoir of a threat actor had extinct stolen credentials to fetch fetch entry to to our Atlassian server and accessed some documentation and a restricted amount of supply code.”
Overview of the Incident
Threat actors conducted a peek from November 14 to November 17, after which they won fetch entry to to their inside wiki (powered by Atlassian Confluence) and bug database (powered by Atlassian Jira).
On November 20 and 21, they detected additional fetch entry to indicating they’re going to moreover agree with returned aid to test fetch entry to to form determined they had connectivity.
On November 22, they made a return talk over with and extinct ScriptRunner for Jira to carry out chronic fetch entry to to the Atlassian server.
They moreover won fetch entry to to the supply code administration system, which uses Atlassian Bitbucket, and made an unsuccessful are attempting to fetch entry to a console server that became once linked to the records center in São Paulo, Brazil, the assign Cloudflare became once peaceful checking out.
“We failed to rotate one service token and three service accounts (out of hundreds) of credentials that had been leaked all the device thru the Okta compromise,” the company said.
One is allowed to fetch entry to the Atlassian system remotely with a Moveworks service token. The 2nd credential became once a service memoir extinct by the SaaS-essentially based mostly Smartsheet application that had administrative fetch entry to to the Atlassian Jira occasion.
The third credential became once a Bitbucket service memoir that became once extinct to fetch entry to our supply code administration system; the fourth became once an AWS atmosphere that had no fetch entry to to the worldwide community and no buyer or peaceable records.
In response to records equipped to Cyber Security News, the attack became once possible conducted by a nation-instruct attacker searching for continuous, big fetch entry to to Cloudflare’s global community.
Upon inspecting the wiki pages they visited, bug database points, and present code repositories, it appears to be like they had been buying for significant sides referring to the architecture, security, and administration of the company’s worldwide community—perhaps to verify a stronger foothold.
Particularly, over 130 IT fetch entry to administration biz clients had been tormented by the Okta security breach that came about in October. Amongst those impacted became once Cloudflare, which became once moreover impacted in 2022 resulting from a additional Okta intrusion.
Remediation Effort
The company moved an limitless share of its technical workers inside and outdoor the protection group to take care of a single mission—the efforts to take care of the incident regularly called “Code Crimson.”
“We undertook a comprehensive effort to rotate every manufacturing credential (extra than 5,000 individual credentials), bodily section test and staging systems, performed forensic triages on 4,893 systems, reimaged and rebooted every machine in our global community including the total systems the threat actor accessed and all Atlassian products (Jira, Confluence, and Bitbucket)”, the company said.
The essential needs had been to substantiate that the threat actor would possibly perhaps perhaps moreover no longer enter the atmosphere and to form obvious every person controls in the atmosphere had been strengthened, verified, and corrected.
Source credit : cybersecuritynews.com