Cloudflare's estate breached by suspected state-sponsored threat actors

The attackers exploited unrotated access token and service account credentials obtained from an Okta breach in October

Cloudflare's estate breached by suspected state-sponsored threat actors

Image:
Cloudflare's estate breached by suspected state-sponsored threat actors

Internet security firm Cloudflare disclosed last week it had fended off a sophisticated cyberattack launched by state-backed hackers aiming to infiltrate its extensive global network.

The attempt, detected on US Thanksgiving Day, 23rd November, underscored the relentless efforts of malicious actors to breach critical internet infrastructure.

Cloudflare's suite of web and application services, including content delivery and network protection, underpins a significant portion of the internet's infrastructure. Any disruption to its operations could reverberate across cyberspace, impacting countless online services reliant on Cloudflare's protective infrastructure.

The company detailed the incident on Thursday, outlining how it detected the intrusion on 23rd November and swiftly expelled the infiltrators.

Exploiting the un-rotated access token and service account credentials obtained from the Okta breach, the attackers embarked on a reconnaissance mission starting 14th November, meticulously probing Cloudflare's systems.

They used stolen credentials to infiltrate Cloudflare's internal wiki and bug database.

While the attackers successfully breached Cloudflare's AWS environment and Atlassian suite, including Jira and Confluence, network segmentation prevented further compromise, safeguarding sensitive assets.

The threat actors scoured the Atlassian suite, combing through 36 Jira tickets and 202 wiki pages. Notably, they sought details on remote access, secrets management and Cloudflare's network infrastructure.

Their activities culminated in the installation of the Sliver Adversary Emulation Framework on 22nd November, enabling persistent access and lateral movement within the Atlassian server.

After detecting suspicious activity, the company responded, terminating unauthorised accounts, implementing firewall rules to block attacker IP addresses, and removing the adversaries' emulation framework.

Although the hackers managed to access "some documentation and a limited amount of source code," Cloudflare stressed that the operational impact remained "extremely limited."

"We want to emphasize to our customers that no Cloudflare customer data or systems were impacted by this event. Because of our access controls, firewall rules, and use of hard security keys enforced using our own Zero Trust tools, the threat actor's ability to move laterally was limited," the company said.

Cloudflare said that the breach did not extend to its global network, customer database, SSL keys or datacentres.

According to the company, the threat actor made unsuccessful attempts to access a console server located in their newly established datacentre in São Paulo, Brazil, which had not yet been put into production.

In an abundance of caution, all equipment in the Brazil datacentre was returned to the manufacturers to ensure maximum security. The manufacturers' forensic teams examined all systems to verify that no unauthorised access or persistence had occurred.

"Nothing was found, but we replaced the hardware anyway," the company said.

Cloudflare enlisted the expertise of cybersecurity firm CrowdStrike to remediate the attack. CrowdStrike's investigation confirmed that the last traces of "threat activity" were eradicated by 24th November, providing assurance that the network had been secured against further compromise.

Cloudflare acknowledged the oversight in failing to change access credentials following the Okta breach, leading to the unauthorised access.

Cloudflare says it has implemented rigorous security measures since then, including the rotation of over 5,000 production credentials, segmentation and testing of staging systems and forensic triages on nearly 4,900 systems, and reimaging and rebooting every machine across its global network.