In a recent revelation, Cloudflare, a prominent web infrastructure company, disclosed that it fell victim to a likely nation-state attack between November 14 and 24, 2023. Detected on November 23, the intrusion exploited stolen credentials to gain unauthorized access to Cloudflare's Atlassian server. The attacker, described as sophisticated, operated with the goal of obtaining persistent and widespread access to Cloudflare's global network, acting in a thoughtful and methodical manner.
As a preemptive measure, Cloudflare swiftly implemented security protocols, rotating more than 5,000 production credentials, physically segregating test and staging systems, and conducting forensic triages on 4,893 systems. Furthermore, the company reimagined and rebooted every machine across its global network. The breach involved a four-day reconnaissance period, during which the threat actor accessed Atlassian Confluence and Jira portals. Subsequently, the attacker created a rogue Atlassian user account, establishing persistent access to the Atlassian server, and eventually gaining entry to the Bitbucket source code management system via the Sliver adversary simulation framework.
The breach impacted a total of 120 code repositories, with an estimated 76 repositories being exfiltrated by the attacker. The compromised repositories primarily contained information related to Cloudflare's network architecture, security protocols, global network management, identity management, remote access procedures, and the company's utilization of Terraform and Kubernetes. Notably, a small number of repositories contained encrypted secrets, which were promptly rotated despite their strong encryption.
Cloudflare identified the threat actor's unsuccessful attempt to access a console server in São Paulo, Brazil, which had not yet been put into production. The attack was facilitated by the use of one access token and three service account credentials associated with Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet. These credentials were stolen during the October 2023 hack of Okta's support case management system. Cloudflare acknowledged its failure to rotate these credentials, as they were mistakenly assumed to be unused.
In response to the breach, Cloudflare took immediate action to terminate all malicious connections originating from the threat actor on November 24, 2023. Additionally, the company engaged the services of cybersecurity firm CrowdStrike to conduct an independent assessment of the incident. The breach serves as a stark reminder of the persistent and evolving threats posed by sophisticated adversaries and underscores the critical importance of proactive security measures in safeguarding against such cyber attacks.
0 comments:
Post a Comment