Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Tara Seals, Managing Editor, News, Dark Reading
February 2, 2024
3 Min Read
Cloudflare was a victim of the wide-ranging Okta supply-chain campaign last fall, with a data breach impacting its Atlassian Bitbucket, Confluence, and Jira platforms beginning on Thanksgiving Day.
"Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation-state attacker with the goal of obtaining persistent and widespread access to Cloudflare's global network," the Internet security and DDoS protection company said in a blog on the Okta-related cyber incident, published yesterday.
Cyberattackers Looked for Lateral Movement Options
Cloudflare worked with CrowdStrike and was able to determine that, after initial reconnaissance work, cyberattackers accessed its internal wiki (Confluence) and bug database (Jira) before establishing persistence on its Atlassian server. From there, the perpetrators poked around for places to pivot into, successfully puddle-hopping into the Cloudflare source code management system (Bitbucket) and an AWS instance.
The analysis showed that the cyberattackers were "looking for information about the configuration and management of our global network, and accessed various Jira tickets ... relating to vulnerability management, secret rotation, MFA bypass, network access, and even our response to the Okta incident itself."
But they were largely shut out of other systems they tried, like a console server that had access to a dormant data center in São Paulo.
In all, the unknown assailants "accessed some documentation and a limited amount of source code," but no customer data or systems, according to Cloudflare, thanks to network segmentation and the implementation of a zero-trust authentication approach that limited lateral movement.
Nonetheless, the firm erred on the side of caution: "We undertook a comprehensive effort to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, performed forensic triages on 4,893 systems, reimaged and rebooted every machine in our global network including all the systems the threat actor accessed and all Atlassian products (Jira, Confluence, and Bitbucket)."
"This…attack on one of the largest [software-as-a-service] companies…severely highlights the risks of supply chain attacks,” says Tal Skverer, research team lead for Astrix Security. "In this breach, we again see how non-human access is abused by attackers to achieve high privilege access to internal systems which goes unmonitored. We also see how attackers are targeting both cloud, SaaS and also on-prem solutions to expand their access."
Yet Another Okta Breach Victim
In October, Okta, the identity and access management services provider, disclosed that its customer support case management system was compromised, exposing sensitive customer data including cookies and session tokens, usernames, emails, company names, and more. Initially the company said that less than 1% of its customers were affected (134 in all), but in late November the company widened the number to a staggering 100%.
"They [achieved compromise] by using one access token and three service account credentials that had been taken, and that we failed to rotate, after the Okta compromise of October 2023," according to Cloudflare. "All threat actor access and connections were terminated on November 24 and CrowdStrike has confirmed that the last evidence of threat activity was on November 24 at 10:44."
An Okta spokesperson tells Dark Reading: "This is not a new incident or disclosure on the part of Okta. On Oct. 19, we notified customers, shared guidance to rotate credentials, and provided indicators of compromise (IoCs) related to the October security incident. We can't comment on our customers' security remediations."
About the Author(s)
Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.
You May Also Like
Unbiased Testing. Unbeatable ResultsFeb 22, 2024
Unbiased Testing. Unbeatable ResultsFeb 22, 2024
Your Everywhere Security guide: Four steps to stop cyberattacksFeb 27, 2024
Your Everywhere Security Guide: 4 Steps to Stop CyberattacksFeb 27, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
A screen displaying many different types of charts and graphs to show what data is being analyzed.Cybersecurity Analytics
Use the 2023 MITRE ATT&CK Evaluation Results for Turla to Inform EDR Buying Decisions
A Solution Guide to Operational Technology Cybersecurity
Zero Trust Access For Dummies, 2nd Fortinet Special Edition
Migrations Playbook for Saving Money with Snyk + AWS
Buyer's Guide: Choosing a True DevSecOps Solution for Your Apps on AWS