Cloudflare reported that its systems were breached on Thanksgiving in 2023, allowing unauthorized access to the source code by threat actors. The IT service provider revealed that the attack, which occurred on November 23, 2023, was carried out by a nation-state actor using stolen credentials from the identity and access management (IAM) specialist Okta.

Cloudflare acknowledged that it “failed to rotate” the stolen credentials from the Okta breach, leaving the company vulnerable to the attack. However, the firm emphasized that no customer data or systems were compromised during the incident due to its zero trust environment, which limited the threat actor’s ability to move laterally. The attack was successfully halted on November 24, with all connections and access from the threat actor terminated.

An independent analysis conducted by Crowdstrike confirmed the details of the incident, and Cloudflare provided a comprehensive account of the breach in a blog post published on February 1, 2024. The post outlined the specific ways in which the attackers gained unauthorized access to the company’s systems and the steps taken by Cloudflare to detect and remediate the breach.

During the initial Okta breach on October 18, 2023, the attackers obtained one service token and three service account credentials linked to Cloudflare. These credentials provided access to various systems, including the Atlassian system, the SaaS-based Smartsheet application, and the source code management system.

According to Cloudflare, the stolen credentials were not rotated as they were mistakenly believed to be unused. The threat actor began searching for ways to access Cloudflare’s systems on November 14, using the stolen credentials to gain entry to the Atlassian Jira and Confluence systems. Once inside, the attackers sought information about the configuration and management of Cloudflare’s global network, accessing multiple Jira tickets as well as downloading 76 code repositories related to system configuration and management at Cloudflare.

The breach was detected on November 23, prompting Cloudflare’s security team to take immediate action to deactivate the compromised accounts and remove the malicious software installed by the threat actor. The company confirmed that the attackers did attempt to access other systems on its network but were ultimately contained within the Atlassian suite, preventing any unauthorized access to customer data or sensitive systems.

Following the incident, Cloudflare initiated a project called “Code Red” to strengthen its defenses and secure against future intrusion. This included a comprehensive effort to remediate the stolen source code repositories, rotating over 5,000 individual credentials, physically rotating test and staging systems, and performing forensic triages on nearly 5,000 systems. Additionally, every machine in Cloudflare’s global network, including all Atlassian products, was reimaged and rebooted to prevent any lingering access by the threat actor.

The company emphasized the suspected nation-state nature of the attack, noting that the sophisticated and methodical tactics used by the threat actor indicated a deeper motive to obtain persistent and widespread access to Cloudflare’s global network. Cloudflare stated that it collaborated with industry and government colleagues to reach this conclusion.

In conclusion, the Cloudflare breach serves as a stark reminder of the ongoing threat posed by nation-state actors and the importance of maintaining robust cybersecurity measures to protect against sophisticated attacks. The company’s response to the incident highlights the critical role of swift detection, containment, and comprehensive remediation efforts to safeguard against potential data breaches and unauthorized access to sensitive information.

Source link