Cloudflare reported today that its internal Atlassian server was hacked by a suspected "state-sponsored attacker", who gained access to Confluence wiki, Jira bug database, and Bitbucket source code management system.
The attacker first gained access to Cloudflare's own Atlassian server on November 14, then, after conducting reconnaissance, gained access to Cloudflare's Confluence and Jira systems.
They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and unsuccessfully attempted to access a console server that had access to a data center that Cloudflare had not yet brought online in São Paulo, Brazil.
According to Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CSO Grant Burzikas
For accessing its systems, the attackers used one access token and three accounts stolen during a previous compromise related to the Okta breach (which is a vital part of the cybersecurity systems of large corporations) in October 2023, which Cloudflare failed to recover, Bleeping Computer reports.
Cloudflare discovered malicious activity on November 23, cut off the hacker's access on the morning of November 24, and three days later, on November 26, its cybersecurity specialists began an investigation.
While investigating the incident details, Cloudflare employees rotated all production account data (over 5,000 unique accounts), physically segmented test and staging systems, forensically sorted 4,893 systems, created a new image and rebooted all systems in the company's global network, including all Atlassian servers (Jira, Confluence, and Bitbucket) and machines accessed by the intruder.
The remediation work was completed almost a month ago, on January 5, but the company states that its employees are still working on strengthening the software, as well as on managing account data and vulnerabilities.
On Thanksgiving Day, November 23, 2023, Cloudflare detected a threat actor on our self-hosted Atlassian server. Our security team immediately began investigating, cut off the threat actor's access, and no Cloudflare customer data or systems were impacted. https://t.co/sL5glOqDIZ
— Cloudflare (@Cloudflare) February 1, 2024
The company claims that this breach did not affect Cloudflare's customer data or systems, its services, global network systems, or configuration were also not impacted.
Based on our collaboration with industry and government colleagues, we believe this attack was carried out by a nation-state attacker aimed at obtaining persistent and broad access to the Cloudflare global network.
By analyzing the pages they accessed, issues with the bug database and source code repositories, it seems they were looking for information on the architecture, security, and management of our global network, undoubtedly with the aim of gaining a deeper foothold.
Comments (0)
There are no comments for now