Cloudflare has uncovered that it was the goal of a probable nation-state attack in which the risk actor leveraged stolen qualifications to attain unauthorized access to its Atlassian server and eventually accessibility some documentation and a confined sum of resource code.
The intrusion, which took location amongst November 14 and 24, 2023, and detected on November 23, was carried out “with the intention of acquiring persistent and prevalent obtain to Cloudflare’s world-wide network,” the web infrastructure corporation mentioned, describing the actor as “complex” and one who “operated in a considerate and methodical way.”
As a precautionary measure, the organization further mentioned it rotated additional than 5,000 manufacturing qualifications, bodily segmented exam and staging methods, carried out forensic triages on 4,893 techniques, reimaged and rebooted every single device across its international network.
The incident included a four-day reconnaissance interval to accessibility Atlassian Confluence and Jira portals, adhering to which the adversary designed a rogue Atlassian user account and founded persistent accessibility to its Atlassian server to in the long run acquire obtain to its Bitbucket supply code management technique by implies of the Sliver adversary simulation framework.
As a lot of as 120 code repositories were viewed, out of which 76 are estimated to have been exfiltrated by the attacker.
“The 76 resource code repositories were virtually all associated to how backups get the job done, how the world network is configured and managed, how id is effective at Cloudflare, distant obtain, and our use of Terraform and Kubernetes,” Cloudflare explained.
“A smaller variety of the repositories contained encrypted secrets and techniques which have been rotated quickly even although they have been strongly encrypted by themselves.”
The danger actor is then reported to have unsuccessfully attempted to “obtain a console server that experienced obtain to the info heart that Cloudflare experienced not nonetheless set into manufacturing in São Paulo, Brazil.”
The attack was achieved by building use of just one access token and three provider account qualifications associated with Amazon Web Solutions (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet that have been stolen adhering to the Oct 2023 hack of Okta’s guidance circumstance management method.
Cloudflare acknowledged that it experienced unsuccessful to rotate these qualifications, mistakenly assuming they were unused.
The corporation also said it took techniques to terminate all destructive connections originating from the danger actor on November 24, 2024. It also associated cybersecurity business CrowdStrike to complete an impartial assessment of the incident.
“The only output units the threat actor could access using the stolen qualifications was our Atlassian atmosphere. Examining the wiki pages they accessed, bug database issues, and source code repositories, it seems they have been wanting for details about the architecture, security, and administration of our world network,” Cloudflare said.
Observed this post intriguing? Follow us on Twitter and LinkedIn to read through far more exceptional written content we article.
Some components of this post are sourced from: