Cloudflare has revealed that it was the goal of a probable nation-state assault wherein the risk actor leveraged stolen credentials to achieve unauthorized entry to its Atlassian server and in the end entry some documentation and a restricted quantity of supply code.
The intrusion, which befell between November 14 and 24, 2023, and detected on November 23, was carried out “with the aim of acquiring persistent and widespread entry to Cloudflare’s international community,” the net infrastructure firm mentioned, describing the actor as “refined” and one who “operated in a considerate and methodical method.”
As a precautionary measure, the corporate additional mentioned it rotated greater than 5,000 manufacturing credentials, bodily segmented take a look at and staging techniques, carried out forensic triages on 4,893 techniques, reimaged and rebooted each machine throughout its international community.
The incident concerned a four-day reconnaissance interval to entry Atlassian Confluence and Jira portals, following which the adversary created a rogue Atlassian consumer account and established persistent entry to its Atlassian server to in the end receive entry to its Bitbucket supply code administration system by the use of the Sliver adversary simulation framework.
As many as 120 code repositories have been seen, out of which 76 are estimated to have been exfiltrated by the attacker.
“The 76 supply code repositories have been nearly all associated to how backups work, how the worldwide community is configured and managed, how identification works at Cloudflare, distant entry, and our use of Terraform and Kubernetes,” Cloudflare mentioned.
“A small variety of the repositories contained encrypted secrets and techniques which have been rotated instantly although they have been strongly encrypted themselves.”
The risk actor is then mentioned to have unsuccessfully tried to “entry a console server that had entry to the information heart that Cloudflare had not but put into manufacturing in São Paulo, Brazil.”
The assault was achieved by making use of 1 entry token and three service account credentials related to Amazon Internet Companies (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet that have been stolen following the October 2023 hack of Okta’s help case administration system.
Cloudflare acknowledged that it had did not rotate these credentials, mistakenly assuming they have been unused.
The corporate additionally mentioned it took steps to terminate all malicious connections originating from the risk actor on November 24, 2024. It additionally concerned cybersecurity agency CrowdStrike to carry out an impartial evaluation of the incident.
“The one manufacturing techniques the risk actor may entry utilizing the stolen credentials was our Atlassian setting. Analyzing the wiki pages they accessed, bug database points, and supply code repositories, it seems they have been on the lookout for details about the structure, security, and administration of our international community,” Cloudflare mentioned.
