Cloudflare revealed that their methods had been compromised on Thanksgiving final 12 months, leading to supply code being accessed by menace actors.
They imagine this assault, which occurred on November 23, 2023, was carried out by a nation-state actor who used credentials stolen throughout a breach of identification and entry administration (IAM) specialist Okta.
Cloudflare admitted that they “did not rotate” the stolen credentials from the Okta breach. Fortunately, no buyer information or methods had been affected throughout the incident because of Cloudflare’s zero belief atmosphere, which restricted the menace actor’s capability to maneuver laterally. The assault was stopped on November 24, with all entry and connections terminated.
How Were Cloudflare’s Systems Compromised?
During the Okta breach on October 18, 2023, the attackers stole one service token and three service account credentials belonging to Cloudflare. These offered entry to varied methods, together with distant entry to the agency’s Atlassian system and administrative entry to Cloudflare’s Atlassian Jira occasion and supply code administration system. An AWS atmosphere that didn’t have entry to the worldwide community or contained buyer or delicate information was additionally accessed.
These credentials weren’t rotated as a result of they had been mistakenly believed to be unused. The menace actor started trying to find methods to entry Cloudflare’s methods on November 14 utilizing the stolen credentials.
The firm handled the 76 downloaded supply code repositories as exfiltrated by the attackers.
Cloudflare Detection and Remediation
The menace actor was detected on November 23, prompting Cloudflare’s safety crew to deactivate the affected accounts and take away the instrument utilized by the attacker.
Cloudflare revealed that the menace actor tried to entry different methods on its community, however its presence was restricted to the Atlassian suite. This meant no buyer information or methods had been accessed. To stop the attackers from discovering a brand new means again in, the agency undertook a complete remediation effort, together with the rotation of over 5000 particular person credentials and performing forensic triages on 4893 methods.
Suspected Nation-State Intrusion
The refined and methodical nature of the assault suggests the perpetrator was a nation-state attacker. Based on their collaboration with colleagues within the trade and authorities, Cloudflare believes that this assault was carried out by a nation-state attacker with the aim of acquiring persistent and widespread entry to Cloudflare’s international community.