Teacher
Professional
- Messages
- 2,670
- Reaction score
- 776
- Points
- 113
Detailed analysis of the November Cloudflare security breach.
Cloudflare revealed details of an incident in which allegedly spies, acting on behalf of the state, gained access to Atlassian's internal system using stolen data as a result of a security breach at Okta in October.
According to Cloudflare, a breach in the Atlassian system was discovered on November 23, 2023, and the violators were forced out of the system the very next day. According to the company's representatives, the attack was carried out in order to gain permanent access to the global Cloudflare network.
During the Okta security breach in October, which affected more than 130 of the company's customers, attackers stole data in order to further break into organizations. Cloudflare was also affected by the attack. Cloudflare uses Okta as an identity provider integrated with Cloudflare Access, which allows users to ensure secure access to internal resources.
According to the management of Cloudflare, the spies searched for information about remote access, secrets and tokens, and also showed interest in 36 Jira tickets out of more than 2 million related to vulnerability management, secret turnover, bypassing multi-factor authentication, network access, and even the business response to the Okta incident.
According to Cloudflare, hackers obtained one service token and three sets of service account credentials through the Okta compromise in 2023. Initially, Okta claimed that the stolen information was relatively harmless and could be used for phishing or social engineering. However, it turned out that among the stolen data were session tokens that allow access to the networks of companies like Cloudflare.
Attackers used the stolen data to access Cloudflare systems, including an internal Confluence-based wiki and a Jira bug database, between November 14 and 17, 2023. Further accesses were discovered on November 20 and 21, after which cybercriminals established a permanent presence on the Atlassian server through ScriptRunner for Jira.
The interest of spies in secrets and tokens is also confirmed by viewing 120 code repositories in Bitbucket out of almost 12,000. Repositories were mainly related to the principles of backup operation, configuration and management of the global network, identification, remote access, as well as Terraform and Kubernetes. According to the CDN company, some of them contained encrypted secrets, and they were immediately replaced, although they were securely encrypted.
The attack was repelled on November 24, 2023, after which the company began assessing the damage and investigating the incident. While strengthening security measures, Crowdstrike was used for an independent assessment.
Cloudflare is taking the incident seriously, despite the limited operational impact, and is making efforts to manage credentials, strengthen software security, and improve the alert system. Work on the Code Red project, aimed at eliminating the consequences of the violation, ended on January 5, 2024, but efforts to improve security in the company continue.
Cloudflare revealed details of an incident in which allegedly spies, acting on behalf of the state, gained access to Atlassian's internal system using stolen data as a result of a security breach at Okta in October.
According to Cloudflare, a breach in the Atlassian system was discovered on November 23, 2023, and the violators were forced out of the system the very next day. According to the company's representatives, the attack was carried out in order to gain permanent access to the global Cloudflare network.
During the Okta security breach in October, which affected more than 130 of the company's customers, attackers stole data in order to further break into organizations. Cloudflare was also affected by the attack. Cloudflare uses Okta as an identity provider integrated with Cloudflare Access, which allows users to ensure secure access to internal resources.
According to the management of Cloudflare, the spies searched for information about remote access, secrets and tokens, and also showed interest in 36 Jira tickets out of more than 2 million related to vulnerability management, secret turnover, bypassing multi-factor authentication, network access, and even the business response to the Okta incident.
According to Cloudflare, hackers obtained one service token and three sets of service account credentials through the Okta compromise in 2023. Initially, Okta claimed that the stolen information was relatively harmless and could be used for phishing or social engineering. However, it turned out that among the stolen data were session tokens that allow access to the networks of companies like Cloudflare.
Attackers used the stolen data to access Cloudflare systems, including an internal Confluence-based wiki and a Jira bug database, between November 14 and 17, 2023. Further accesses were discovered on November 20 and 21, after which cybercriminals established a permanent presence on the Atlassian server through ScriptRunner for Jira.
The interest of spies in secrets and tokens is also confirmed by viewing 120 code repositories in Bitbucket out of almost 12,000. Repositories were mainly related to the principles of backup operation, configuration and management of the global network, identification, remote access, as well as Terraform and Kubernetes. According to the CDN company, some of them contained encrypted secrets, and they were immediately replaced, although they were securely encrypted.
The attack was repelled on November 24, 2023, after which the company began assessing the damage and investigating the incident. While strengthening security measures, Crowdstrike was used for an independent assessment.
Cloudflare is taking the incident seriously, despite the limited operational impact, and is making efforts to manage credentials, strengthen software security, and improve the alert system. Work on the Code Red project, aimed at eliminating the consequences of the violation, ended on January 5, 2024, but efforts to improve security in the company continue.
