Cloudflare, the renowned web infrastructure company, has been the target of a cyberattack allegedly orchestrated by a group of hackers. The incident, which was discovered to have occurred between November 14th and 24th, 2023, allowed the attackers to gain unauthorized access to their Atlassian server, obtaining access to certain documentation and a limited amount of source code.
Cloudflare detected the intrusion on November 23rd, describing the threat actor as “sophisticated” and that they “operated thoughtfully and methodically” with the aim of achieving persistent and widespread access to the company’s global network.
Precautionary Measures Taken
As a precautionary measure, Cloudflare announced that they rotated over 5,000 production credentials, physically segmented test and staging systems, conducted forensic triaging on 4,893 systems, and reimaged and rebooted every machine across their global network.
The attack involved a four-day reconnaissance period to access Atlassian Confluence and Jira portals. Subsequently, the adversary created a fake Atlassian user account and established persistent access to their Atlassian server to ultimately gain access to their Bitbucket source code management system through the Sliver adversary simulation framework.
Scope of Unauthorized Access
It is estimated that the attacker viewed up to 120 code repositories, of which 76 are believed to have been exfiltrated. These repositories contained primarily information related to backup procedures, configuration and management of the global network, identity at Cloudflare, remote access, and the use of Terraform and Kubernetes.
Cloudflare stated that “a small number of the repositories contained encrypted secrets, which were immediately rotated despite being heavily encrypted.”
The threat actor also unsuccessfully attempted to access a console server that had access to a data center that Cloudflare had not yet put into production in São Paulo, Brazil.
Exploited Vulnerability and Cloudflare’s Response
The attack was facilitated by the use of an access token and three service account credentials associated with Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet, which were stolen after the hacking of Okta’s support case management system in October 2023. Cloudflare admitted to not having rotated these credentials, erroneously assuming they were not in use.
The company also took steps to terminate all malicious connections originated by the threat actor on November 24, 2023, and engaged the cybersecurity firm CrowdStrike to conduct an independent assessment of the incident.
Cloudflare reaffirms that the only production system the threat actor was able to access using the stolen credentials was their Atlassian environment. Based on the analysis of accessed wiki pages, error database issues, and source code repositories, it appears they were seeking information about the architecture, security, and management of their global network.
source: The Hacker news