Cloudflare Attack

Cloudflare revealed today (Feb 1st 24) that its internal Atlassian server experienced a breach by a suspected 'nation state attacker' who infiltrated its Confluence wiki, Jira bug database, and Bitbucket source code management system. The breach occurred on November 14, with the attacker gaining initial access to Cloudflare's self-hosted Atlassian server. Subsequently, the intruder accessed the company's Confluence and Jira systems on November 22 after an initial reconnaissance phase.

According to Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas, the attackers established persistent access to the Atlassian server using ScriptRunner for Jira on November 22. They also managed to access the source code management system (utilising Atlassian Bitbucket) and attempted, unsuccessfully, to access a console server linked to the São Paulo data center, which was not yet in production.

The attackers utilised one access token and three service account credentials stolen during a prior compromise related to Okta's breach in October 2023. Despite Cloudflare's failure to rotate these credentials, the company detected malicious activity on November 23 and terminated the hacker's access by the morning of November 24. Forensic investigation by cybersecurity specialists commenced on November 26.

In response to the breach, Cloudflare's staff rotated over 5,000 production credentials, segregated test and staging systems, conducted forensic analysis on nearly 4,900 systems, and re-imaged and rebooted all systems across the global network, including Atlassian servers. Although the threat actors attempted to breach Cloudflare's São Paulo data center, these efforts were unsuccessful. Cloudflare ensured the data center's security by returning all equipment to manufacturers.

Remediation efforts concluded on January 5th, with ongoing efforts in software hardening and credential and vulnerability management. Cloudflare assured that the breach did not compromise customer data or systems, nor did it affect its services or global network configuration.

Prince, Graham-Cumming, and Bourzikas emphasised the seriousness of the incident, attributing it to a nation state attacker aiming for persistent access to Cloudflare's global network. Analysis of accessed wiki pages, bug database issues, and source code repositories indicated an interest in the network's architecture, security, and management. Cloudflare's Okta instance was previously breached on October 18, 2023, with attackers gaining access to files of 134 customers, including Cloudflare. However, the company's swift response contained the impact on its systems and data, with no adverse effects on customer information or systems.

Additionally, an August 2022 attempt to breach Cloudflare's systems using stolen employee credentials was thwarted due to the absence of company-issued FIDO2-compliant security keys.

Are you working with CloudFlare or one of their products? Check you're secure with our external pen test services.