Cloudflare Discloses Breach Stemming from Okta Incident
Cloudflare found itself in the headlines again on Thursday, but this time for reasons it had not previously disclosed. The cybersecurity vendor has revealed that it was the target of a cyberattack connected to the infamous Okta breach that occurred last fall. Cloudflare disclosed in a blog post that an unnamed nation-state threat actor managed to gain access to its internal systems using an access token and three service account credentials stolen during the October Okta breach. This revelation comes after Cloudflare announced last year that it had successfully mitigated an attempted cyberattack stemming from the same incident.
According to Cloudflare, the threat actor was able to access its internal wiki on Atlassian Confluence, its bug database on Atlassian Jira, and its source code management system on Atlassian Bitbucket. Fortunately, the company reported that the operational impact of the breach was minimal and that no customer data or systems were compromised.
Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas stated in the blog post that, “Because of our access controls, firewall rules, and use of hard security keys enforced using our own Zero Trust tools, the threat actor’s ability to move laterally was limited. No services were implicated, and no changes were made to our global network systems or configuration.”
The attack, which began on October 18, was related to the Okta breach, in which credentials were stolen and subsequently used to gain unauthorized access to Cloudflare and several other Okta customers. The threat actor used these stolen credentials to access a support case management system at Okta that contained files with session cookies, allowing them to impersonate valid users at Cloudflare and other affected companies.
Initially, Cloudflare believed it had prevented the attempted attack and even published a blog post titled “How Cloudflare mitigated yet another Okta compromise.” However, the company later discovered that the threat actor had managed to extend the breach beyond the Okta instance, gaining access to the company’s self-hosted Atlassian server.
The company’s executives admitted that this breach was a result of their failure to rotate one service token and three service accounts, out of thousands, that were leaked during the Okta compromise. Cloudflare stated that these credentials were mistakenly believed to be unused, though it’s unclear why they thought so. TechTarget Editorial reached out to Cloudflare for further comment, but the company had not responded at press time.
Cloudflare reiterated that the breach had limited impact and moved quickly to contain the threat. In addition to initially detecting the threat actor, the company began working with CrowdStrike to investigate the breach. The company engaged in a large-scale internal project titled “Code Red,” which involved the rotation of over 5,000 individual production credentials, as well as forensic examinations on nearly 5,000 systems.
The company’s Code Red effort included replacing hardware in its São Paulo data center, despite no evidence of access or persistence by the threat actor. Furthermore, Cloudflare’s engineering teams examined source code repositories and rotated encrypted secrets to ensure full security against future intrusion.
Cloudflare’s breach disclosure is just the latest incident tied to Okta, which suffered multiple security breaches in recent months. This includes an incident involving social engineering attacks that targeted its customers, as well as a breach by the Lapsus$ hacking group. Okta has confirmed that customer support records for about 2.5% of their customer base were compromised in this incident.
As security threats continue to evolve, organizations must remain diligent in safeguarding their systems against sophisticated attacks like the one experienced by Cloudflare. The company’s response to this breach serves as a reminder of the importance of proactive security measures in today’s threat landscape.