Identity, Breach, Threat Intelligence

Cloudflare’s Atlassian systems breached in nation-state attack

Exterior view of Cloudflare headquarters in San Francisco.

Cloudflare reported Feb. 1 that it was the victim of a nation-state attack on its Atlassian systems following last fall’s Okta breach.

While the attack started in October when Okta was compromised, Cloudflare said in a blog post that the bad actor started targeting its systems with the Okta credentials in mid-November — credentials that should have been rotated.

“Unfortunately, we failed to rotate one service token and three service accounts (out of thousands) of credentials that were leaked during the Okta compromise,” wrote the Cloudflare researchers.

Cloudflare’s researchers said from Nov. 14 to 17, the threat actor accessed Cloudflare’s “internal wiki,” which uses Atlassian Confluence, and the cloud provider’s bug database — Atlassian Jira.

According to the researchers, the threat actor returned on Nov. 22 and established access to Cloudflare’s Atlassian server using ScriptRunner for Jira, gaining access to Cloudflare’s source code management system. Over the next day, the threat actor viewed 120 code repositories and of the 120 repos, the threat actor used the Atlassian Bitbucket git archive feature on 76 and downloaded them to the Atlassian server.

“Even though we were not able to confirm whether or not they had been exfiltrated, we decided to treat them as having been exfiltrated,” wrote the researchers. “The 76 source code repositories were almost all related to how backups work, how the global network is configured and managed, how identity works at Cloudflare, remote access, and our use of Terraform and Kubernetes.”

CrowdStrike, which was brought in to assist in the remediation efforts, confirmed that the last evidence of threat activity was on Nov. 24 at 10:44 UTM.

What does the loss of 76 repos mean?

The loss of 76 code repositories is worrisome at best, noted Pat Arvidson, chief strategy officer at Interpres Security. Arvidson said the attack by a likely nation-state actor means the actor is highly resourced with the ability to conduct long-term analysis of the repositories.

“An ounce of prevention is worth a pound of cure,” said Arvidson. “It would have been better if the breach never occurred. The nation-state is surely scrubbing those repositories for either zero-days, or will attempt to re-insert them into the supply chain with backdoors.”

John Bambenek, president at Bambenek Consulting, added that Cloudflare offers a great deal of transparency in its report that shows a lot of strong elements of their response and does take responsibility for the one failure that lead to the compromise: the failure of rotating credentials that were compromised in an Okta breach.

“This highlights the general needs of organizations to be concerned with third-party risk, and how difficult it can be to truly implement a firewall from compromises in those third-parties, from spreading into other organizations,” explained Bambenek. “It isn’t great that the compromise took nine days to discover, however, the methodical and ‘low and slow’ approach of the threat actor certainly didn’t help. What’s encouraging in this report is how Cloudflare owns the oversights and lays out changes of how to further secure their environment in the future.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.