Cloudflare Suffers Security Breach After Failing to Rotate Okta Credentials

Cloud services provider Cloudflare disclosed this week that its systems were breached last November by a sophisticated hacker believed to be a nation-state actor. The attacker gained access to Cloudflare's internal Atlassian server and viewed sensitive documentation and source code.

According to Cloudflare the threat actor first infiltrated the company's self-hosted Atlassian server on November 14th. After an initial reconnaissance phase, the hacker was able to access Cloudflare's Confluence wiki and Jira bug tracking databases.

On November 22nd, the attacker established persistent access to the Atlassian server using a ScriptRunner plugin for Jira. This granted the hacker access to Cloudflare's Bitbucket source code repository. The attacker also unsuccessfully attempted to access a console server connected to Cloudflare's data center in São Paulo, Brazil.

The hacker gained entry using an access token and three stolen service credentials that were leaked during the high-profile Okta breach in October 2023. Cloudflare had failed to rotate these compromised credentials after the Okta incident.

Cloudflare detected the unauthorized activity on November 23rd and severed the attacker's access the next morning. The company's forensics specialists commenced an investigation on November 26th. As part of their response, Cloudflare rotated over 5,000 production credentials, physically isolated test and staging systems, and performed forensic analysis on nearly 5,000 systems. All servers and machines on Cloudflare's global network were reimaged and rebooted.

Cloudflare believes the attacker's goal was to gain widespread access to its global network infrastructure. By examining accessed wiki pages, bug tickets, and source code, Cloudflare determined the hacker was gathering intelligence on the architecture, security, and management of the company's systems. 

Approximately 76 repositories may have been exfiltrated, mostly related to backups, network configuration, identity management, and Cloudflare's use of Terraform and Kubernetes. A small number contained encrypted secrets, which have since been rotated.

The company emphasized that customer data and systems were not impacted, nor were any of Cloudflare's services or network configurations affected. However, Cloudflare took the breach very seriously given the sensitive internal information accessed.

Cloudflare collaborated with government agencies and industry colleagues and concluded the attack was highly targeted and sponsored by a nation-state adversary. The goal appeared to be establishing persistent access to Cloudflare's global network.

This marks the second security incident for Cloudflare in recent months. In October 2023, hackers breached Okta's customer support system and used a stolen Cloudflare authentication token to access its Okta portal. While no customer data was compromised, it underscored the need for vigilance in rotating compromised credentials.