Cloudflare Faces Nation-State Cyber Intrusion: Internal Systems Breached, Source Code Targeted
Cloudflare disclosed a significant security incident involving a suspected nation-state attacker infiltrating its internal Atlassian server. The breach, which transpired on November 14, saw unauthorized access to Cloudflare’s Confluence wiki, Jira bug database, and Bitbucket source code management system. The attacker, believed to be a nation-state actor, initially gained entry to Cloudflare’s self-hosted Atlassian server and subsequently accessed Confluence and Jira systems during a reconnaissance phase.
The breach unfolded in two stages, with the threat actor establishing persistent access on November 22. The attacker exploited an access token and three service account credentials acquired during a previous compromise linked to Okta’s breach in October 2023. Notably, Cloudflare failed to rotate these compromised credentials, facilitating the unauthorized access. Cloudflare detected the malicious activity on November 23, promptly severed the hacker’s access on November 24, and initiated forensic investigations on November 26.
On Thanksgiving Day, November 23, 2023, Cloudflare detected a threat actor on our self-hosted Atlassian server. Our security team immediately began investigating, cut off the threat actor’s access, and no Cloudflare customer data or systems were impacted. https://t.co/sL5glOqDIZ
— Cloudflare (@Cloudflare) February 1, 2024
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
To mitigate the impact, Cloudflare’s response was thorough. All production credentials, exceeding 5,000 unique ones, were rotated, and test and staging systems were physically segmented. A comprehensive forensic triage was conducted on 4,893 systems, with reimaging and rebooting of all global network systems, including Atlassian servers (Jira, Confluence, and Bitbucket).
Notably, the breach did not impact Cloudflare customer data or systems, and the company’s services, global network systems, and configurations remained unaffected.
While the remediation efforts concluded on January 5th, ongoing efforts include software hardening, credential management, and vulnerability mitigation. The nature of the breach, with a focus on obtaining information about the architecture, security, and management of Cloudflare’s global network, suggests a nation-state actor seeking persistent and widespread access.
This incident follows a breach in October 2023, where Cloudflare’s Okta instance was compromised, and demonstrates the ongoing challenges posed by sophisticated cyber threats.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
