Among the many stolen credentials was a Moveworks service token that granted distant entry to Atlassian programs. Different compromises included a Smartsheet account with administrative entry to the Atlassian Jira occasion, a Bitbucket service account with entry to the Cloudflare supply code administration system, and an AWS atmosphere with “no entry to the worldwide community and no buyer or delicate information.”
“From November 14 to 17, the risk actor did reconnaissance after which accessed our inside wiki (which makes use of Atlassian Confluence) and our bug database (Atlassian Jira),” Cloudflare added. “They then returned on November 22 and established persistent entry to our Atlassian server utilizing ScriptRunner for Jira, gained entry to our supply code administration system (which makes use of Atlassian Bitbucket), and tried, unsuccessfully, to entry a console server that had entry to the information middle that Cloudflare had not but put into manufacturing in São Paulo, Brazil.”
The corporate added that the incident was by no means an error on the a part of Atlassian, AWS, Moveworks, or Smartsheet, and occurred as a result of it didn’t rotate the stolen credentials assuming they have been unused.
Cloudflare mentioned it was capable of utterly comprise and take away the an infection owing to its adoption of a zero-trust structure.
“Due to our entry controls, firewall guidelines, and use of arduous security keys enforced utilizing our personal Zero Belief instruments, the risk actor’s means to maneuver laterally was restricted,” the corporate mentioned. “No providers have been implicated, and no adjustments have been made to our world community programs or configuration.”
Acknowledging the assault’s intention for establishing persistence and fearing missed persistence, Cloudflare resorted to a complete remediation strategy with further proactive steps for future assaults.
