follows another strike targeting Cloudflare after past incident linked to Okta breach
Cloudflare Suffers Sophisticated Supply-Chain Attack
In mid-November 2023, Cloudflare, a leading internet infrastructure company, was re-compromised due to a complex supply-chain attack linked to an earlier breach at Okta. The attackers exploited leaked service tokens and service account credentials from Okta to gain administrative access to Cloudflare’s Atlassian platforms, ultimately compromising several key systems.
The affected systems included Cloudflare’s source code repositories on Atlassian Bitbucket, internal wiki platform Confluence, bug tracking and issue management system Jira, and an AWS instance hosting infrastructure related to Cloudflare’s global network operations.
The threat actor's presence in Cloudflare's systems was first detected on November 23, and multiple malicious accounts were deactivated over the course of the day. The attackers gained access to Cloudflare's systems due to the incorrect belief that the service token and accounts were unused.
Following the intrusion, Cloudflare redirected significant technical staff resources to investigate the breach and harden its systems. Over 5,000 individual production credentials were rotated as a comprehensive effort to secure Cloudflare’s systems. Forensic triages were performed on 4,893 systems, and every machine in Cloudflare's global network was reimaged and rebooted.
The threat actor used one access token and three service account credentials that Cloudflare failed to rotate after the environment was compromised by an earlier October attack against Okta. The attackers searched Cloudflare's Atlassian server for Jira tickets about vulnerability management, secrets rotation, multifactor authentication bypass, network access, and Cloudflare's response to the Okta incident.
Cloudflare and its incident response firm CrowdStrike believe the threat actor to be a nation-state attacker. The threat actor accessed multiple Cloudflare systems, including Atlassian products, but no Cloudflare customer data or systems were impacted by this event. The threat actor's actions were limited to the systems on which their activity was observed.
It's worth noting that the AWS environment used to power the Cloudflare Apps marketplace was accessed by the threat actor, but it was segmented with no access to Cloudflare's global network or customer data. The last evidence of threat activity was on November 24, and all threat actor access and connections were terminated on that day.
This breach serves as a reminder of the critical role of managing SaaS applications and third-party service credentials, especially non-human or service accounts. The attackers exploited a SaaS-to-SaaS trust relationship where Smartsheet had been granted administrative access to Cloudflare's Atlassian environment, leading to a lateral movement from compromised credentials within third-party SaaS platforms into Cloudflare’s core internal systems.
In the past, Cloudflare and Okta have been targets of multiple attacks, including a breach of an Okta support engineer's system in January 2022 and a phishing attack in August 2022. The Okta incident ultimately exposed data on all of the single sign-on provider's customer support system clients.
Despite these events, Cloudflare's CEO, CTO, and CSO have confirmed that no Cloudflare customer data or systems were impacted by this event.
- Cloudflare's incident response team found that the threat actor, believed to be a nation-state attacker, searched for Jira tickets about vulnerability management and secrets rotation, indicating a potential focus on cybersecurity and data-and-cloud-computing.
- The attackers gained access to Cloudflare's systems due to the presence of leaked service tokens and service account credentials, a vulnerability that was not addressed even after the environment was compromised by an earlier Okta incident.
- This supply-chain attack is a stark reminder of the importance of cybersecurity measures in technology, particularly in managing SaaS applications and third-party service credentials, as the attackers were able to move laterally from compromised credentials within third-party SaaS platforms into Cloudflare’s core internal systems.
