Cloudflare has suffered a security breach with the revelation that a suspected nation-state attacker infiltrated its internal Atlassian server. The breach, which occurred on November 14 and was discovered on November 23, led to the compromise of Cloudflare’s Confluence wiki, Jira bug database, and Bitbucket source code management system.

The attackers first gained access to Cloudflare’s Atlassian server on November 14 and conducted reconnaissance before returning on November 22 to establish persistent access. They used ScriptRunner for Jira and accessed Cloudflare’s Bitbucket source code management system but were unsuccessful in their efforts to access a console server connected to an unlaunched data center in São Paulo, Brazil.

The attackers used one access token and three service account credentials previously stolen during Okta’s October 2023 breach to compromise Cloudflare’s security. However, Cloudflare swiftly detected the malicious activity on November 23 and severed the hacker’s access by the morning of November 24.

Following the breach, Cloudflare’s cybersecurity team initiated a thorough investigation on November 26. The company rotated over 5,000 production credentials, conducted a forensic triage of 4,893 systems, and rebooted its global network, including all Atlassian servers. In addition, Cloudflare returned the equipment from its Brazil data center to manufacturers for security assurance. The remediation efforts concluded on January 5, with Cloudflare actively enhancing software hardening, credential, and vulnerability management.

Cloudflare’s Okta breach in 2023 was caused by the compromise of an Okta customer support engineer’s account through a sophisticated phishing campaign targeted at the support engineer. The attackers, after gaining access to the support engineer’s account, could potentially view and perform actions within the Okta accounts of multiple Okta customers. Cloudflare successfully contained that incident, ensuring no compromise of customer data.

Cloudflare’s CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas emphasized that the breach had limited operational impact but was taken seriously due to the sensitive access obtained by the attackers. They further asserted that the attack aimed to gain widespread access to Cloudflare’s global network, yet confirmed the security of its customer data and systems.

To prevent incidents like the Cloudflare breach, businesses should implement proactive security measures such as regular credential rotation and monitoring, enhanced employee training focusing on phishing awareness and cyber threat education, adopting a Zero-Trust security model, enforcing multi-factor authentication, using advanced threat detection systems, and having a rapid incident response plan. Additionally, effective vendor risk management is crucial to assess and mitigate risks posed by third-party vendors and their security postures.

Implementing these measures is vital to safeguarding businesses against potential breaches and ensuring the security of their systems and customer data. As Cloudflare has demonstrated, rapid detection and swift, comprehensive remediation efforts are essential in addressing security breaches effectively. If you liked this piece, follow Heimdal® Security on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.

Source link