Cloudflare was a victim of Okta’s extensive supply chain campaign last fall, with a data breach impacting its Atlassian Bitbucket, Confluence, and Jira platforms starting on Thanksgiving Day.
“Based on our collaboration with industry and government colleagues, we believe this attack was executed by a domestic attacker with the goal of gaining persistent, widespread access to Cloudflare’s global network,” the company said. Internet security and DDoS protection in ONE blog about the Okta-related cyber incidentpublished yesterday.
Cyber attackers looked for lateral movement options
Cloudflare worked with CrowdStrike and was able to determine that, after initial reconnaissance work, cyber attackers gained access to its internal wiki (Confluence) and bug database (Jira) before establishing persistence on its server Atlassian. From there, the attackers looked for places to focus, successfully jumping into the Cloudflare source code management system (Bitbucket) and an AWS instance.
The analysis showed that the cyber attackers were “seeking information about the configuration and management of our global network and accessed various Jira tickets… related to vulnerability management, secret rotation, MFA bypass, access to the network and even to our response to the Okta incident itself.”
But they were largely left out of other systems they tried, such as a console server that had access to a dormant data center in Sao Paulo.
Overall, according to Cloudflare, the unknown attackers “gained access to some documents and a limited amount of source code,” but not customer data or systems, thanks to network segmentation and the implementation of a zero authentication approach -trust that limited lateral movements.
Nonetheless, the company erred on the side of caution: “We undertook a global effort to rotate all production credentials (more than 5,000 individual credentials), physically segment test and staging systems, perform forensic triage on 4,893 systems, reimagine and reboot every machine in our global network, including all systems that the threat actor accessed all Atlassian products (Jira, Confluence and Bitbucket).”
“This… attack on one of the greatest [software-as-a-service] companies…severely highlights the risks of supply chain attacks,” says Tal Skverer, head of research at Astrix Security. “In this breach, we once again see how attackers abuse non-human access to gain highly privileged access to internal systems that goes unmonitored. We also see how attackers target both cloud, SaaS and on-premise solutions to expand their access.”
Yet another victim of the Okta breach
In October, Okta, the identity and access management services provider, revealed that its the customer support case management system has been compromised, exposing sensitive customer data including cookies and session tokens, usernames, emails, company names, and more. The company initially said so less than 1% of its customers were affected (134 in total), but at the end of November the company expanded the number to a staggering 100%.
“They [achieved compromise] using an access token and three service account credentials that were taken and that we were unable to rotate, following the October 2023 Okta compromise,” according to Cloudflare. “All threat actor logins and connections are were discontinued on November 24 and CrowdStrike has confirmed that the latest evidence of threat activity was on November 24 at 10:44 am.”
An Okta spokesperson tells Dark Reading: “This is not a new incident or disclosure from Okta. On October 19, we notified customers, shared guidance for rotating credentials, and provided indicators of compromise (IoC) related to October security incident. We cannot comment on our customers’ security solutions.”