Details of The Story
Cloudflare, a leading internet security and performance company, has recently revealed a breach within its internal systems orchestrated by what is believed to be a nation-state attacker. This sophisticated cyber assault targeted Cloudflare’s internal Atlassian server, compromising the company’s Confluence wiki, Jira bug tracking database, and Bitbucket source code management system.
The initial breach occurred on November 14, when the attackers infiltrated Cloudflare’s self-hosted Atlassian server, laying the groundwork for further exploitation. The threat actors conducted reconnaissance activities before returning on November 22, establishing persistent access via ScriptRunner for Jira, gaining entry to the Atlassian Bitbucket and attempting to infiltrate a console server related to a data center in São Paulo, Brazil, not yet operational.
The attackers leveraged one access token and three service account credentials previously compromised in an October 2023 breach involving Okta, a major identity and access management company. Despite the vast leakage of credentials in the Okta breach, Cloudflare overlooked the rotation of these specific credentials, which facilitated the attackers’ entry.
Cloudflare’s detection systems alerted the company to the malicious activities on November 23, leading to the prompt severance of the attackers’ access by the morning of November 24. A comprehensive investigation ensued, spearheaded by Cloudflare’s cybersecurity forensics specialists on November 26.
In response to the breach, Cloudflare undertook a series of remediation measures. The company rotated over 5,000 production credentials, physically segregated its test and staging environments, conducted forensic analysis on 4,893 systems, and reimaged and rebooted all systems across its global network, including the compromised Atlassian servers. Furthermore, Cloudflare ensured the security of its São Paulo data center by returning all equipment to manufacturers, despite the failed attempts by attackers to compromise this facility.
The breach, which Cloudflare has termed the “Cloudflare Thanksgiving breach,” did not impact customer data, services, or the integrity of its global network systems. The company emphasized the breach’s limited operational impact but acknowledged the seriousness of the incident, given the access obtained by the attackers to internal documentation and a limited amount of source code. Cloudflare believes the attack aimed to achieve persistent and widespread access to its global network, with the attackers seeking information on the network’s architecture, security, and management.
Cloudflare’s experience with cyber threats is not new. Prior to this incident, the company thwarted an attempt in August 2022 by attackers using stolen employee credentials, which failed due to the lack of access to company-issued FIDO2-compliant security keys. The recent breach highlights the relentless nature of cyber threats, particularly from nation-state actors, and highlights the importance of robust cybersecurity measures and quick incident response to safeguard critical infrastructure and sensitive information.
