The aftermath of the 2023 Okta breach continues to unfold, with Cloudflare disclosing the details of its security compromise.
Cloudflare, a globally renowned cloud services provider, experienced a security incident on Thanksgiving Day, 23 November 2023, allowing unauthorized access to their internal Atlassian server. The company confirmed no customer data or systems were affected by the intrusion, which was effectively blocked within 24 hours.
The investigation was concluded recently. According to the company’s blog post published on 2 February 2024, Cloudflare detected the breach on 24 November 2023 and the investigation was launched on 27th November in cooperation with CrowdStrike, called Project Code Red.
Cloudflare’s systems were accessed by attackers using an access token and three service account credentials were stolen during a previous Okta breach in October 2023. The threat actor gained access to its Atlassian environment using stolen credentials, reportedly seeking information about Cloudflare’s global network’s architecture, security, and management. It is worth noting that Cloudflare’s Atlassian system is responsible for managing internal collaboration tools like Confluence and Jira.
“The threat actor accessed Jira tickets about vulnerability management, secret rotation, MFA bypass, network access, and even our response to the Okta incident itself. The wiki searches and pages accessed suggest the threat actor was very interested in all aspects of access to our systems: password resets, remote access, configuration, our use of Salt, but they did not target customer data or customer configurations.”
Cloudflare discovered that a ‘nation-state attacker’ could be responsible for their server’s breach. However, the company did not share further details on the possible perpetrator. The attacker accessed its Confluence wiki, Jira bug database, and Bitbucket source code management system on 14 November 2023.
Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas stated that on November 22, hackers gained persistent access to their Atlassian server, source code management system, and console server.
They also unsuccessfully attempted to gain access to a data center in São Paulo, Brazil, which was not yet put into production by Cloudflare. As a precautionary measure, every piece of equipment at its Brazil data center was returned to manufacturers to ensure the facility was safe.
As for prevention, response measures from Cloudflare’s staff included rotating all 5,000 unique production credentials, physically segmenting test and staging systems, performing forensic triage on around 4,983 systems, and re-imaging and rebooting global network systems.
According to Cloudflare, this includes all Atlassian servers, including Bitbucket, Jira, and Confluence. Although all remediation efforts were completed by 5th January, Cloudflare is still actively focusing on software hardening, and credential and vulnerability management.
For your information, Okta, an identity and access management services provider, reported a data breach on 23 October 2023, allowing unauthorized access to files, including session tokens, which could be used for hijacking attacks.
The attacker compromised a stolen account between September 28 and October 17, 2023, to view, update, and extract sensitive data by accessing Okta’s support case management system.
Okta’s chief security officer, David Bradbury, revealed that at least 134 customers were impacted by the breach and some files were HAR files containing session tokens, which could be used for session hijacking attacks.
Many firms have reportedly been targeted with stolen Okta credentials, Cloudflare being one of them. Previously, 1Password, one of Okta’s customers, reportedly was targeted. On September 29, 2023, 1Password detected suspicious activity where a threat actor used a stolen session token to access its Okta administrative portal.
- 10 Top DDoS Attack Protection and Mitigation Companies
- Whitehat hacker bypasses SQL injection filter for Cloudflare
- LAPSUS$ Hackers Hack Microsoft and Okta, Leak Trove of Data
- Google, Cloudflare, AWS Disclose Largest DDoS Attack in History
- Cloudflare Launches Android and iOS version of 220.127.116.11 DNS Service