Cloudflare, the leader in web infrastructure, has publicly revealed the details of a highly sophisticated nation-state attack that unfolded between November 14 and 24, 2023. The assailants, employing stolen credentials, gained unauthorized access to Cloudflare’s Atlassian server, allowing them to breach documentation and access a limited amount of source code. The company, recognizing the severity of the incident, responded proactively with a comprehensive security repair.
Anatomy of the Cloudflare Breach
The nation-state attack on Cloudflare displayed a high level of sophistication, characterized by a four-day reconnaissance period that targeted Atlassian Confluence and Jira portals. During this phase, the threat actor created a rogue Atlassian user account, securing persistent access to the server. The breach’s ultimate goal was to compromise the Bitbucket source code management system, achieved through the use of the Sliver adversary simulation framework.
As a result of the attack, approximately 120 code repositories were accessed, with an estimated 76 believed to have been exfiltrated by the attackers. These repositories primarily contained information related to the workings of backups, the configuration and management of the global network, identity management at Cloudflare, remote access, and the company’s use of Terraform and Kubernetes. A noteworthy detail is that a small number of repositories contained encrypted secrets, which were promptly rotated despite their robust encryption.
The attackers, whose motive was likely to obtain persistent and widespread access to Cloudflare’s global network, managed to access a range of crucial information. This included insights into how backups function, the details of the global network’s configuration, and the management of identity at Cloudflare. In addition, details on remote access, the use of Terraform and Kubernetes, and more were sought after.
Attack Was Initiated with One Compromised Access Token Only
The attack, initiated with the compromise of just one access token and three service account credentials, demonstrated a significant lapse in credential rotation. These credentials, associated with Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet, were pilfered during the October 2023 hack of Okta’s support case management system. Cloudflare acknowledged its oversight in failing to rotate these credentials, mistakenly assuming they were unused.
Despite the severity of the incident, Cloudflare took swift action. More than 5,000 production credentials were rotated, test and staging systems were physically segmented, and forensic triages were conducted on 4,893 systems. Also, all machines across Cloudflare’s global network were reimaged and rebooted. The company also sought an independent assessment of the incident, engaging cybersecurity firm CrowdStrike to perform a thorough evaluation.
While the breach allowed access only to Cloudflare’s Atlassian environment using the stolen credentials, the attackers combed through wiki pages, bug database issues, and source code repositories. Their focus was on gathering information about the architecture, security measures, and management of Cloudflare’s global network. The company is now reinforcing its security measures and learning from this sophisticated attack to further fortify its defenses against such threats in the future.