Cloudflare was a sufferer of the wide-ranging Okta supply-chain marketing campaign final fall, with an information breach impacting its Atlassian Bitbucket, Confluence, and Jira platforms starting on Thanksgiving Day.
“Based mostly on our collaboration with colleagues within the business and authorities, we imagine that this assault was carried out by a nation-state attacker with the aim of acquiring persistent and widespread entry to Cloudflare’s international community,” the Web safety and DDoS safety firm stated in a weblog on the Okta-related cyber incident, revealed yesterday.
Cyberattackers Appeared for Lateral Motion Choices
Cloudflare labored with CrowdStrike and was capable of decide that, after preliminary reconnaissance work, cyberattackers accessed its inside wiki (Confluence) and bug database (Jira) earlier than establishing persistence on its Atlassian server. From there, the perpetrators poked round for locations to pivot into, efficiently puddle-hopping into the Cloudflare supply code administration system (Bitbucket) and an AWS occasion.
The evaluation confirmed that the cyberattackers had been “on the lookout for details about the configuration and administration of our international community, and accessed varied Jira tickets … referring to vulnerability administration, secret rotation, MFA bypass, community entry, and even our response to the Okta incident itself.”
However they had been largely shut out of different programs they tried, like a console server that had entry to a dormant knowledge heart in São Paulo.
In all, the unknown assailants “accessed some documentation and a restricted quantity of supply code,” however no buyer knowledge or programs, in keeping with Cloudflare, due to community segmentation and the implementation of a zero-trust authentication method that restricted lateral motion.
Nonetheless, the agency erred on the facet of warning: “We undertook a complete effort to rotate each manufacturing credential (greater than 5,000 particular person credentials), bodily section check and staging programs, carried out forensic triages on 4,893 programs, reimaged and rebooted each machine in our international community together with all of the programs the risk actor accessed and all Atlassian merchandise (Jira, Confluence, and Bitbucket).”
“This…assault on one of many largest [software-as-a-service] corporations…severely highlights the dangers of provide chain assaults,” says Tal Skverer, analysis staff lead for Astrix Safety. “On this breach, we once more see how non-human entry is abused by attackers to attain excessive privilege entry to inside programs which matches unmonitored. We additionally see how attackers are focusing on each cloud, SaaS and likewise on-prem options to broaden their entry.”
But One other Okta Breach Sufferer
In October, Okta, the identification and entry administration companies supplier, disclosed that its buyer assist case administration system was compromised, exposing delicate buyer knowledge together with cookies and session tokens, usernames, emails, firm names, and extra. Initially the corporate stated that lower than 1% of its clients had been affected (134 in all), however in late November the corporate widened the quantity to a staggering 100%.
“They [achieved compromise] through the use of one entry token and three service account credentials that had been taken, and that we did not rotate, after the Okta compromise of October 2023,” in keeping with Cloudflare. “All risk actor entry and connections had been terminated on November 24 and CrowdStrike has confirmed that the final proof of risk exercise was on November 24 at 10:44.”
An Okta spokesperson tells Darkish Studying: “This isn’t a brand new incident or disclosure on the a part of Okta. On Oct. 19, we notified clients, shared steerage to rotate credentials, and offered indicators of compromise (IoCs) associated to the October safety incident. We won’t touch upon our clients’ safety remediations.”
