Intrusion Details
Cloudflare, a prominent cybersecurity firm, discloses a breach where hackers potentially accessed Atlassian’s internal system using data stolen from a security breach in Okta, a major identity provider.
Timeline of Events
The security breach in Atlassian’s system was identified on November 23, 2023, and the intruders were swiftly ousted the next day. The attackers aimed to gain persistent access to Cloudflare’s global network.
Okta Security Breach Connection
In October, Okta suffered a widespread security breach affecting over 130 clients, where attackers stole data for further compromising organizations. Cloudflare, utilizing Okta as an identity provider integrated with Cloudflare Access, also fell victim to this attack.
Hacker’s Access
Hackers acquired one service token and three sets of service account credentials by compromising Okta in 2023. Originally deemed relatively harmless by Okta, the stolen data included session tokens granting access to companies like Cloudflare.
Infiltration Tactics
Using the stolen data, hackers accessed Cloudflare’s systems, including the Confluence-based internal wiki and Jira’s error database, from November 14 to 17, 2023. Further accesses were identified on November 20 and 21, leading to the establishment of a persistent presence on the Atlassian server through ScriptRunner for Jira.
Espionage Tactics
The interest in secrets and tokens is confirmed by the examination of 120 code repositories in Bitbucket, revealing almost 12,000 files. Repositories were mostly related to backup principles, configuration, global network management, identity, remote access, Terraform, and Kubernetes. Some contained encrypted secrets, swiftly replaced by Cloudflare.
Repelling the Attack
The attack was successfully repelled on November 24, 2023, prompting Cloudflare to assess damages and initiate an investigation into the incident. The extensive breach showcases the sophisticated nature of cyber threats even against renowned cybersecurity entities.