Tuesday, November 12, 2024
Homecyber securityCloudflare Server Compromised Due to Leaked Access Token in Okta Breach

Cloudflare Server Compromised Due to Leaked Access Token in Okta Breach

Published on

Malware protection

On November 23, 2023, Cloudflare detected a threat actor on the self-hosted Atlassian server. The attack was initiated using a single stolen access token and three compromised service account credentials, which were kept the same after the Okta compromise in October 2023.

The security team sought assistance from CrowdStrike’s Forensic team to investigate the security breach. On November 24, all connections and access privileges for the malicious actors were terminated.

“We want to emphasize to our customers that no Cloudflare customer data or systems were impacted by this event,” according to Cloudflare’s blog.

- Advertisement - SIEM as a Service

“We took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code.”

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Overview of the Incident

Threat actors were surveyed from November 14 to November 17. Following this, they gained access to the organization’s internal wiki, which was powered by Atlassian Confluence, and their bug database, which Atlassian Jira powered.

It was detected that on November 20 and 21, some unauthorized access was made to the system, which suggests that the intruders returned to test the connectivity. On November 22, they made a second visit and used ScriptRunner for Jira to gain persistent access to the Atlassian server.

The intruders managed to gain entry to the Atlassian Bitbucket source code management system. Additionally, they attempted to breach a console server connected to Cloudflare’s data center in São Paulo, Brazil. However, they failed to infiltrate the server as it was still in the testing phase.

“We failed to rotate one service token and three service accounts (out of thousands) of credentials that were leaked during the Okta compromise,” the company said.

A Moveworks service token can be used to access the Atlassian system remotely. In addition, a service account with administrative access to the Atlassian Jira instance is utilized by the SaaS-based Smartsheet application as a second credential.

The third credential was a Bitbucket service account used to access our source code management system. The fourth was an AWS environment with no access to the global network and no customer or sensitive data.

According to reports, the attack was likely carried out by a nation-state attacker seeking continuous, broad access to Cloudflare’s global network.

After analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears that they were searching for information about the company’s global network architecture, security, and management, possibly to gain a stronger foothold.

Over 130 IT access management business clients were affected by the Okta security breach in October, which included Cloudflare, and were impacted again in 2022 due to another Okta intrusion.

Remediation Effort

The company focused a significant portion of its technical staff, both inside and outside of the security team, on a single project – addressing the incident known as “Code Red.” 

As part of their efforts, they undertook a comprehensive process. This included rotating more than 5,000 individual credentials, physically segmenting test and staging systems, performing forensic triages on 4,893 systems, and reimaging and rebooting every machine in their global network, including all Atlassian products (Jira, Confluence, and Bitbucket) and all systems that the threat actor accessed. 

The primary goals of this effort were to confirm that the threat actor could not gain entry into the environment and to ensure that all controls were strengthened, verified, and corrected.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...