Cloudflare suspected of being attacked by state-sponsored hacker group

1. Overview of the attack

Between November 14 and 24, 2023.CloudflareA security intrusion was detected and an anomaly was monitored on November 23rd. The intrusion was intended to provide "sustained and widespread access to Cloudflare's global network," and the company described the attackers as "sophisticated and professional," operating in a "meticulous and organized" manner. sophisticated and well-organized" manner.

2. Details of the attacker's actions

After four days of reconnaissance of the Atlassian Confluence and Jira portals, the attackers created a malicious Atlassian user account and established persistent server access through the Sliver emulation framework, eventually gaining access through the Bitbucket source code management system.

3. Cloudflare's emergency response

Cloudflare took preventative measures, including spinning up more than 5,000 production credentials, physically isolating tested and segmented systems, forensically analyzing 4,893 systems, and reimaging and rebooting every machine in the global network.

4. Scope of the attack

It is estimated that the attackers viewed up to 120 code repositories, 76 of which are believed to have been stolen.Cloudflare said that almost all of these source code repositories were related to backup operations, configuration and management of the global network, Cloudflare's authentication mechanisms, remote access, and the use of Terraform and Kubernetes.

5. Countermeasures and security enhancements

Cloudflare admitted to an oversight in spinning the aforementioned credentials, mistakenly believing that they were not being used. The company also stated that it had disconnected all malicious connections from threat actors on November 24, 2023, and invited thecyber securitycompanyCrowdStrikeConduct an independent assessment.

6. Analysis of the attacker's objectives and behavior

According to Cloudflare's analysis, the only production system the attacker was able to access using the stolen credentials was its Atlassian environment. By analyzing the Wiki pages, error database issues, and source code repositories accessed by the attackers, it appears that the attackers were looking for information about the architecture, security, and management of Cloudflare's global network.

7. Investigation and disposal measures

The attackers also attempted to gain access to a console server that has access to one of Cloudflare's not-yet-in-production data centers in São Paulo, Brazil. The attack was made possible by the use of an access token and three service account credentials associated with AWS, Atlassian Bitbucket, Moveworks, and Smartsheet, which were stolen in October 2023 after the hack of the Okta support case management system.

Cloudflare has taken several technical measures to improve security to ensure that threat actors cannot re-access company systems and continues to investigate to ensure there is no legacy of persistent access.

In this incident, although the equipment in the Sao Paulo data center was not accessed, the company returned it to the manufacturer for inspection and replaced the equipment to ensure system security.

Cloudflare and CrowdStrike's in-depth findings showed that the threat actor's activities were limited to the observed systems, and that the company had no evidence of access to the global network, customer databases, configuration information, data centers, SSL keys, customer deployed workhorses, or any other information outside of the Atlassian suite and servers.