Cloudflare disclosed a nation-state actor's attempted hack on its self-hosted Atlassian server in November 2023. The attack, utilizing stolen tokens and credentials from a recent Okta breach, accessed some documentation and limited source code before being stopped by Cloudflare's internal security team. The company promptly initiated an investigation, cut off the actor's access, and commissioned CrowdStrike for an independent review.
Method
The attacker gained initial access through compromised Cloudflare credentials from the Okta breach. Cloudflare failed to rotate specific credentials, including a Moveworks service token, leading to unauthorized remote access to Atlassian systems. The attacker, present from November 14 to 17 for reconnaissance, established persistent access using ScriptRunner for Jira on November 22. The incident involved accessing internal wiki, bug database, and source code management systems.
Recommendation
Cloudflare recommends users to rotate credentials, especially after security incidents, and emphasizes the importance of a zero-trust architecture. The company's remediation efforts involved comprehensive actions such as rotating over 5,000 production credentials, segmenting systems, forensic triages on nearly 4,900 systems, reimaging and rebooting all machines globally, and additional steps like checking for outdated software and unused accounts.
Security Impact
Cloudflare's quick detection and response, aided by a zero-trust architecture, limited lateral movement and prevented significant impact. The independent investigation confirmed no impact on Cloudflare systems or data. The incident's focus on persistence prompted Cloudflare to implement thorough remediation measures, showcasing a proactive approach to security. The disclosure underscores the ongoing threat landscape and the importance of robust security practices, including timely credential rotations and continuous monitoring, to mitigate risks associated with sophisticated cyber attacks.
Comments