Cloudflare Falls Victim to Okta Breach, Atlassian Systems Cracked

The cyberattackers, believed to be state sponsored, didn't get far into Cloudflare's global network, but not for lack of trying.

the cloudflare logo
Source: Cloudflare

Cloudflare was a victim of the wide-ranging Okta supply-chain campaign last fall, with a data breach impacting its Atlassian Bitbucket, Confluence, and Jira platforms beginning on Thanksgiving Day.

"Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation-state attacker with the goal of obtaining persistent and widespread access to Cloudflare's global network," the Internet security and DDoS protection company said in a blog on the Okta-related cyber incident, published yesterday.

Cyberattackers Looked for Lateral Movement Options

Cloudflare worked with CrowdStrike and was able to determine that, after initial reconnaissance work, cyberattackers accessed its internal wiki (Confluence) and bug database (Jira) before establishing persistence on its Atlassian server. From there, the perpetrators poked around for places to pivot into, successfully puddle-hopping into the Cloudflare source code management system (Bitbucket) and an AWS instance.

The analysis showed that the cyberattackers were "looking for information about the configuration and management of our global network, and accessed various Jira tickets ... relating to vulnerability management, secret rotation, MFA bypass, network access, and even our response to the Okta incident itself."

But they were largely shut out of other systems they tried, like a console server that had access to a dormant data center in São Paulo.

In all, the unknown assailants "accessed some documentation and a limited amount of source code," but no customer data or systems, according to Cloudflare, thanks to network segmentation and the implementation of a zero-trust authentication approach that limited lateral movement.

Nonetheless, the firm erred on the side of caution: "We undertook a comprehensive effort to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, performed forensic triages on 4,893 systems, reimaged and rebooted every machine in our global network including all the systems the threat actor accessed and all Atlassian products (Jira, Confluence, and Bitbucket)."

"This…attack on one of the largest [software-as-a-service] companies…severely highlights the risks of supply chain attacks,” says Tal Skverer, research team lead for Astrix Security. "In this breach, we again see how non-human access is abused by attackers to achieve high privilege access to internal systems which goes unmonitored. We also see how attackers are targeting both cloud, SaaS and also on-prem solutions to expand their access."

Yet Another Okta Breach Victim

In October, Okta, the identity and access management services provider, disclosed that its customer support case management system was compromised, exposing sensitive customer data including cookies and session tokens, usernames, emails, company names, and more. Initially the company said that less than 1% of its customers were affected (134 in all), but in late November the company widened the number to a staggering 100%.

"They [achieved compromise] by using one access token and three service account credentials that had been taken, and that we failed to rotate, after the Okta compromise of October 2023," according to Cloudflare. "All threat actor access and connections were terminated on November 24 and CrowdStrike has confirmed that the last evidence of threat activity was on November 24 at 10:44."

An Okta spokesperson tells Dark Reading: "This is not a new incident or disclosure on the part of Okta. On Oct. 19, we notified customers, shared guidance to rotate credentials, and provided indicators of compromise (IoCs) related to the October security incident. We can't comment on our customers' security remediations."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights