Cloudflare revealed that it was the target of a likely nationwide attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documents and a limited amount of source code.
The intrusion, which occurred between November 14 and 24, 2023 and was detected on November 23, was carried out “with the goal of gaining persistent, widespread access to Cloudflare’s global network,” the web infrastructure company said, describing the actor as “sophisticated” and one who “operated in a thoughtful and methodical manner”.
As a precautionary measure, the company also said it has rotated more than 5,000 production credentials, physically segmented testing and staging systems, performed forensic triage on 4,893 systems, and reimagined and rebooted every machine in its global network.
The incident involved a four-day reconnaissance period to access the Atlassian Confluence and Jira portals, after which the attacker created an unauthorized Atlassian user account and established permanent access to their Atlassian server to ultimately gain the access to the Bitbucket source code management system via the Sliver Adversary Simulation Framework.
As many as 120 code archives were viewed, of which it is estimated that 76 were exfiltrated by the attacker.
“The 76 source code repositories were almost all related to how backups work, how the global network is configured and managed, how identity works on Cloudflare, remote access, and our use of Terraform and Kubernetes,” Cloudflare said.
“A small number of repositories contained encrypted secrets that were rotated immediately even though they themselves were strongly encrypted.”
The threat actor is then said to have unsuccessfully attempted to “access a console server that had access to the data center that Cloudflare had not yet put into production in Sao Paulo, Brazil.”
The attack was made possible using an access token and three service account credentials associated with Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet that were stolen following the October 2023 hack of the Okta support case management.
Cloudflare acknowledged that it did not rotate these credentials, incorrectly assuming they were unused.
The company further said that it has taken measures to terminate all malicious connections originating from the threat actor on November 24, 2023. It has also brought in cybersecurity firm CrowdStrike to perform an independent assessment of the incident.
“The only production systems the threat actor could access using the stolen credentials was our Atlassian environment. By analyzing the wiki pages they had accessed, bug database issues, and source code archives, it appears that were looking for information about the architecture, security and management of our global network,” Cloudflare said.