Cloudflare Breached: Credentials Used For Malicious Access
In a recent revelation, Cloudflare, a prominent networking giant, disclosed a security breach that occurred in late November, where threat actors exploit stolen passwords to gain unauthorized access to sensitive information and systems. Senior executives at the company shared that a suspected nation-state attacker gained unauthorized access to Cloudflare’s systems by utilizing credentials stolen from Okta, a major single sign-on provider. The Cloudflare breached incident detected on Thanksgiving Day prompted an immediate investigation and response from Cloudflare’s security team.
Credential Theft In Cloudflare Incident
The Cloudflare security incident unfolded when Cloudflare identified a threat actor on its self-hosted Atlassian server. The security team swiftly initiated an investigation, cutting off the attacker’s access. Subsequently, on November 26, CrowdStrike’s Forensic team was engaged to conduct an independent analysis.
The investigation revealed that the threat actor conducted reconnaissance from November 14 to 17, accessing internal systems such as the company’s internal wiki and bug database. The hacker returned on November 20 and 21, successfully infiltrating Cloudflare’s source code management system.
It was discovered that the stolen credentials used in this attack were obtained during a widely publicized October breach at Okta.
Cloudflare Breached – Nature of the Attack
Cloudflare’s CEO, Matthew Prince, emphasized the seriousness of the incident despite its limited operational impact. The attacker, identified as a nation-state actor, aimed to obtain persistent and widespread access to Cloudflare’s global network. The company took immediate action to prevent any ongoing access by the threat actor to other systems.
Cloudflare Breach Response
To ensure the security of its systems, Cloudflare initiated a comprehensive effort to eliminate any persistent access the hackers might have had. The investigation, in collaboration with CrowdStrike, revealed that the attacker sought information about the architecture, security, and management of Cloudflare’s global network.
As part of its response, Cloudflare rotated approximately 5,000 production credentials and physically segmented test and staging systems. These measures were implemented to thwart any attempt by the attacker to leverage technical information about the network’s operations. Additionally, the company replaced hardware in a data center in São Paulo, where the hacker attempted malicious access to Cloudflare services.
Reflection on Okta’s Involvement
The stolen credentials cyber attack reignited criticism against Okta for its handling of the October breach, where unauthorized access to Cloudflare files associated with 134 Okta customers occurred. Cloudflare, along with other security companies, expressed dissatisfaction with Okta’s delayed response to the incident. Cloudflare stressed the importance of timely and responsible disclosures after breaches are identified.
Cloudflare had previously experienced a breach in March 2022, attributed to a compromise in Okta’s systems. However, in that instance, Cloudflare’s robust security measures, including the use of hard keys for multi-factor authentication, prevented any access by the threat actor to their systems or data.
Lessons From Cloudflare Breached Attacks
Cloudflare acknowledged the sophisticated nature of the Cloudflare data security breach, emphasizing the need for ongoing vigilance against nation-state actors. The company’s proactive measures, such as credential rotation and hardware replacement, demonstrate a commitment to fortifying its security posture. Web security after Cloudflare breach requires heightened vigilance and proactive measures to mitigate potential risks.
In light of the incident, Cloudflare reiterated the importance of swift and responsible action following a breach. The company’s stance emphasizes the need for collaboration between the industry and government to address cybersecurity challenges effectively.
Conclusion
The cybersecurity breach at Cloudflare serves as a reminder of the evolving threat landscape and the importance of robust cybersecurity measures. As businesses continue to face sophisticated attacks, collaboration, transparency, and proactive security measures are crucial for safeguarding sensitive information and maintaining business continuity. Cloudflare’s experience underscores the need for organizations to remain vigilant and continuously enhance their cybersecurity strategies to stay ahead of emerging threats.
The sources for this piece include articles in The Hacker News and Bleeping Computer.