Cloudflare has revealed that it was the target of a likely nation-state attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.
The intrusion, which took place between November 14 and 24, 2023, and detected on November 23, was carried out “with the goal of obtaining persistent and widespread access to Cloudflare’s global network,” the web infrastructure company said, describing the actor as ” sophisticated” and one who “operated in a thoughtful and methodical manner.”
As a precautionary measure, the company further said it rotated more than 5,000 production credentials, physically disintegrated test and staging systems, performed forensic triage on 4,893 systems, reimaged and rebooted every machine in its global network.
The incident involved a four-day reconnaissance period to access Atlassian Confluence and Jira portals, following which the adversary created a rogue Atlassian user account and established persistent access to its Atlassian server to ultimately obtain access to the Bitbucket source code management system by means of the Sliver adversary simulation framework.
At least 120 code repositories were observed, of which 76 are estimated to have been infiltrated by the attacker.
“The 76 source code repositories were almost all related to how backups work, how the global network is configured and managed, how identities work on Cloudflare, remote access, and our use of Terraform and Kubernetes,” Cloudflare said.
“A very small number of repositories had encrypted secrets that were immediately rotated, even though they themselves were strongly encrypted.”
It is said that the threat actor “unsuccessfully attempted to access a console server that had access to a data center that Cloudflare had not yet put into production in Sao Paulo, Brazil.”
The attack was made possible by using one access token and three service account credentials associated with Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet that were stolen following the October 2023 hack of Okta’s support case management system.
Cloudflare acknowledged that it had failed to turn over these credentials, mistakenly assuming they were not used.
The company also said it took steps to terminate all malicious connections originating from the threat actor on November 24, 2023. It also brought in cybersecurity firm CrowdStrike to conduct an independent assessment of the incident.
“The only production systems the threat actor could access using the stolen credentials was our Atlassian environment. Analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears they were looking for information about the architecture, security, and management of our global network,” Cloudflare said.
