Cloudflare experienced a breach in its Atlassian Bitbucket, Confluence, and Jira platforms in a wide-ranging Okta supply-chain campaign last fall. The attack, which began on Thanksgiving Day, was believed to have been carried out by a nation-state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network, according to the company.
In a blog post published yesterday, Cloudflare stated that the cyberattackers, after initial reconnaissance work, accessed its internal wiki (Confluence) and bug database (Jira) before establishing persistence on its Atlassian server. They then probed for opportunities to pivot into, gaining access to the Cloudflare source code management system (Bitbucket) and an AWS instance. The attackers sought information about the configuration and management of Cloudflare’s global network and accessed various Jira tickets related to vulnerability management, secret rotation, MFA bypass, network access, and the company’s response to the Okta incident itself.
While the cyberattackers managed to access some documentation and a limited amount of source code, Cloudflare confirmed that no customer data or systems were compromised due to network segmentation and the implementation of a zero-trust authentication approach, which limited lateral movement. As a precautionary measure, the company initiated a comprehensive effort to rotate every production credential, physically segment test and staging systems, and performed forensic triages on 4,893 systems. They also reimaged and rebooted every machine in their global network, including all the systems that the threat actor accessed and all Atlassian products.
Commenting on the breach, Tal Skverer, research team lead for Astrix Security, highlighted the risks associated with supply chain attacks and the exploitation of non-human access by attackers to gain high privilege access to internal systems. Skverer also emphasized that attackers are targeting both cloud, SaaS, and on-prem solutions to expand their access.
This incident was not the first time that Okta, the identity and access management services provider, faced a security breach. In October, Okta disclosed that its customer support case management system had been compromised, exposing sensitive customer data including cookies, session tokens, usernames, emails, and company names. Initially, the company claimed that less than 1% of its customers were affected, but later widened the number to include its entire customer base.
Cloudflare confirmed that the cyberattackers were able to compromise its security by using one access token and three service account credentials that had been acquired following the Okta compromise of October 2023. However, all threat actor access and connections were terminated, and the last evidence of threat activity was confirmed to be on November 24.
An Okta spokesperson stated that the incident was not new and that they had notified customers, shared guidance to rotate credentials, and provided indicators of compromise related to the October security incident. The spokesperson declined to comment on customers’ security remediations.
This latest breach underscores the ongoing threat posed by supply chain attacks and the importance of implementing robust security measures to protect against cyber threats. Both Cloudflare and Okta, along with other organizations, must remain vigilant and proactive in addressing potential security vulnerabilities to safeguard their networks and systems.