The impact of the massive Okta data breach lingers, continuing to provide an opportunistic terrain for hackers. Cloudflare, a prominent player in internet infrastructure and security, now faces the aftermath as it fell victim to a cyberattack.
On February 2, 2024, the company disclosed that individuals suspected to be state-sponsored threat actors utilized pilfered Okta credentials, successfully breaching Cloudflare’s defenses.
While the security team successfully thwarted the threat and protected sensitive data from being exposed, the Cloudflare cyberattack highlights two key points: firstly, that no one is immune, and secondly, it emphasizes the effectiveness of a resilient defense system in containing and preventing the spread of an attack.
This comprehensive analysis provides a deeper view into the technical intricacies of the Cloudflare cyberattack, revealing strategic maneuvers employed by the threat actors.
Despite their attempts to infiltrate Cloudflare’s Atlassian environment, swift responses, termination of compromised accounts, and collaboration with the forensic team ensured minimal impact on customer data.
Decoding the Cloudflare Cyberattack: The Technical Side of the Intrusion
The Cloudflare cyberattack attempt initially began when the threat actor started creating Atlassian accounts for persistent access and installing the Sliver Adversary Emulation Framework. Despite the intrusion and accessing the non-operational console server with 120 repositories, no data exfiltration occurred during the attack.
Cloudflare’s response on November 23, terminating the Smartsheet service account and creating a user account, turned out to be pivotal development. Implementing firewall rules, removing the framework on November 24, and leveraging their security infrastructure stopped the threat actor’s attempts. Importantly, no evidence suggested access beyond the Atlassian suite.
In response to this cyberattack on Cloudflare, the American IT company initiated security enhancements on November 24, rotating over 5,000 credentials and triaging nearly 5,000 systems.
In a blog post shared on February 2nd, Cloudflare concluded that no customers’ data was harmed by this cyber intrusion. “We want to emphasize to our customers that no Cloudflare customer data or systems were impacted by this event. Because of our access controls, firewall rules, and use of hard security keys enforced using our own Zero Trust tools, the threat actor’s ability to move laterally was limited, reads the blog post.
The Okta Data Breach Connection
The genesis of the cyberattack can be traced back to the compromise of Okta in October, setting the stage for a sophisticated nation-state actor to launch an attack on Cloudflare in mid-November.
The threat actor’s meticulous reconnaissance from November 14 to 17 involved unauthorized access to Cloudflare’s internal wiki and bug database. Leveraging stolen credentials from the Okta breach, the threat actor secured persistent access on November 22.
In the aftermath of the Okta security incident disclosed in October 2023, Okta Security revisited its initial analysis, uncovering fresh details that could impact customer security.
The threat actor, responsible for the breach, ran a report on September 28, 2023, containing names and email addresses of all Okta customer support system users. While no sensitive personal data or user credentials were exposed, the risk of phishing and social engineering attacks targeting Okta customers is heightened.
David Bradbury, Chief Security Officer at Okta, emphasized the organization’s commitment to fight online threats and protect customers in the face of cybersecurity challenges. However, despite no sensitive data being leaked in the breach, the threat actor had already started attacking attacking new victims via social engineering.
The Cloudflare cyberattack was a direct product of the Okta breach. On November 24, both Cloudflare’s security team and CrowdStrike’s Forensic team engaged in an investigation into the nation-state threat actors, adding an extra layer of scrutiny to ensure a comprehensive understanding of the incident.
Security Measures and Collaborative Efforts: The Code Red Project
Despite the threat actor’s attempt for a cyberattack on Cloudflare, the company’s formidable security infrastructure stood firm. No customer data or services were compromised, highlighting the efficacy of Cloudflare’s access controls, firewall rules, and the utilization of hard security keys within their Zero Trust framework. The collaboration with CrowdStrike not only provided validation but also exemplified the importance of multi-faceted responses to cyber threats.
The launch of the “Code Red” Remediation Project on November 27 marked a critical phase in Cloudflare’s response. Encompassing a substantial portion of the technical staff, this initiative focused on fortifying controls within the environment. Over 5,000 production credentials underwent rotation, and forensic triages were conducted on nearly 4,900 systems to ensure a thorough denial of access to the threat actor.
The primary target of the threat actor was Cloudflare’s Atlassian environment, where they gained access to documentation and a limited amount of source code. Notably, their attempt to access a console server in the São Paulo, Brazil data center was thwarted, showcasing the efficacy of Cloudflare’s non-enforced ACLs.
In-depth scrutiny of 76 source code repositories revealed the threat actor’s focus on network configuration, identity management, and Cloudflare’s use of Terraform and Kubernetes. A meticulous examination of these repositories formed a significant part of the “Code Red” effort, aiming to prevent any potential exploitation of technical information about Cloudflare’s network operations.
Conclusion and Ongoing Vigilance
Following this nation-state-sponsored Cloudflare cyberattack, the American company extends gratitude to its team members for their prompt response, especially during the Thanksgiving holiday. The conclusion of the “Code Red” effort on January 5 signifies a significant milestone in securing Cloudflare’s systems.
However, the company remains vigilant, actively engaging in ongoing work on credential management, software hardening, vulnerability management, and enhanced alerting capabilities. To assist other organizations in verifying whether the threat actor accessed their systems, Cloudflare has shared Indications of Compromise (IOCs).
These include IP addresses and file hashes associated with the primary threat actor’s infrastructure. Organizations, especially those impacted by the Okta breach, can utilize these IOCs to bolster their security measures and ensure the threat actor’s absence from their systems.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
