Cloudflare Falls Victim to Okta Breach, Atlassian Systems Cracked

Cloudflare was a victim of the wide-ranging Okta supply-chain campaign last fall, with a data breach impacting its Atlassian Bitbucket, Confluence, and Jira platforms beginning on Thanksgiving Day.

"Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation-state attacker with the goal of obtaining persistent and widespread access to Cloudflare's global network," the Internet security and DDoS protection company said in a blog on the Okta-related cyber incident, published yesterday.

Cyberattackers Looked for Lateral Movement Options

Cloudflare worked with CrowdStrike and was able to determine that, after initial reconnaissance work, cyberattackers accessed its internal wiki (Confluence) and bug database (Jira) before establishing persistence on its Atlassian server. From there, the perpetrators poked around for places to pivot into, successfully puddle-hopping into the Cloudflare source code management system (Bitbucket) and an AWS instance.

The analysis showed that the cyberattackers were "looking for information about the configuration and management of our global network, and accessed various Jira tickets ... relating to vulnerability management, secret rotation, MFA bypass, network access, and even our response to the Okta incident itself."

But they were largely shut out of other systems they tried, like a console server that had access to a dormant data center in São Paulo.

In all, the unknown assailants "accessed some documentation and a limited amount of source code," but no customer data or systems, according to Cloudflare, thanks to network segmentation and the implementation of a zero-trust authentication approach that limited lateral movement.

Nonetheless, the firm erred on the side of caution: "We undertook a comprehensive effort to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, performed forensic triages on 4,893 systems, reimaged and rebooted every machine in our global network including all the systems the threat actor accessed and all Atlassian products (Jira, Confluence, and Bitbucket)."

"This…attack on one of the largest [software-as-a-service] companies…severely highlights the risks of supply chain attacks,” says Tal Skverer, research team lead for Astrix Security. "In this breach, we again see how non-human access is abused by attackers to achieve high privilege access to internal systems which goes unmonitored. We also see how attackers are targeting both cloud, SaaS and also on-prem solutions to expand their access."

Yet Another Okta Breach Victim

In October, Okta, the identity and access management services provider, disclosed that its customer support case management system was compromised, exposing sensitive customer data including cookies and session tokens, usernames, emails, company names, and more. Initially the company said that less than 1% of its customers were affected (134 in all), but in late November the company widened the number to a staggering 100%.

"They [achieved compromise] by using one access token and three service account credentials that had been taken, and that we failed to rotate, after the Okta compromise of October 2023," according to Cloudflare. "All threat actor access and connections were terminated on November 24 and CrowdStrike has confirmed that the last evidence of threat activity was on November 24 at 10:44."

An Okta spokesperson tells Dark Reading: "This is not a new incident or disclosure on the part of Okta. On Oct. 19, we notified customers, shared guidance to rotate credentials, and provided indicators of compromise (IoCs) related to the October security incident. We can't comment on our customers' security remediations."