Heimdal
article featured image

Contents:

Cloudflare disclosed a security breach today, revealing that a suspected nation-state attacker infiltrated its internal Atlassian server.

The attack, which began on November 14, compromised Cloudflare’s Confluence wiki, Jira bug database, and Bitbucket source code management system.

How did attackers first gain access to Cloudflare’s systems?

The attackers first accessed Cloudflare’s Atlassian server on November 14, engaging in reconnaissance before returning on November 22 to establish persistent access.

They used ScriptRunner for Jira and accessed Cloudflare’s Bitbucket source code management system.

Efforts to access a console server connected to an unlaunched data center in São Paulo, Brazil, were unsuccessful.

What methods did the attackers use to compromise Cloudflare’s security?

The attackers used one access token and three service account credentials previously stolen during Okta’s October 2023 breach.

Cloudflare detected the malicious activity on November 23 and swiftly severed the hacker’s access by the morning of November 24.

The Okta breach

The Okta breach in 2023 was caused by the compromise of an Okta customer support engineer’s account.

This breach was attributed to a sophisticated phishing campaign targeted at the support engineer.

The attackers, after gaining access to the support engineer’s account, could potentially view and perform actions within the Okta accounts of multiple Okta customers.

How did the company respond?

Cloudflare’s cybersecurity team initiated an investigation on November 26.

The company rotated over 5,000 production credentials, conducted a forensic triage of 4,893 systems, and rebooted its global network, including all Atlassian servers.

Cloudflare returned the equipment from its Brazil data center to manufacturers for security assurance.

The remediation efforts concluded on January 5, with Cloudflare actively enhancing software hardening, credential, and vulnerability management.

Bleeping Computer reports that Cloudflare’s Okta instance experienced a breach on October 18, 2023, affecting 134 customers. Cloudflare successfully contained that incident, ensuring no compromise of customer data.

Cloudflare’s CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas say that the breach had limited operational impact but was taken seriously due to the sensitive access obtained by the attackers.

The company asserts that the attack aimed to gain widespread access to Cloudflare’s global network, yet confirms the security of its customer data and systems:

Even though we understand the operational impact of the incident to be extremely limited, we took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code,

said the Cloudflare leadership team (source)

The importance of proactive security measures

To prevent incidents like the Cloudflare breach, businesses should implement:

Regular credential rotation and monitoring – promptly update and monitor credentials, especially after security incidents in interconnected systems.

Enhanced employee training – focus on phishing awareness and cyber threat education to reduce the risk of credential theft.

Zero-Trust security model – implement a policy where every access request is rigorously verified.

MFA enforcement – strengthen defenses by requiring multi-factor authentication across all systems.

Advanced threat detection systems -use systems that can identify and alert on suspicious activities.

Rapid incident response plan – have a well-established plan for quick action when a breach is detected.

Vendor risk management –  assess and mitigate risks posed by third-party vendors and their security postures.

If you liked this piece, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Madalina Popovici

Digital PR Specialist

linkedin icon

Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE