According to Cloudflare, it was the victim of a possible nation-state assault in which a threat actor used credentials that had been stolen to access its Atlassian server without authorization. From there, it was able to obtain some documentation and a small quantity of source code.
The web infrastructure provider described the actor as “sophisticated” and one who “operated thoughtfully and methodically.” The intrusion occurred between November 14 and 24, 2023, and was discovered on November 23. It was carried out “to obtain persistent and widespread access to Cloudflare’s global network,” the company said.
The company added that it physically divided test and staging systems rotated over 5,000 production credentials, performed forensic triage on 4,893 computers, and reimaged and rebooted every device on its worldwide network as a precaution.
After a four-day reconnaissance period to gain access to the Jira and Atlassian Confluence portals, the adversary created a rogue Atlassian user account and gained persistent access to its Atlassian server. This allowed the adversary to eventually use the Sliver adversary simulation framework to gain access to the Bitbucket source code management system.
Out of the 120 code repositories accessed, 76 are thought to have been exfiltrated by the attacker.
“The 76 source code repositories were almost all related to how backups work, how the global network is configured and managed, how identity works at Cloudflare, remote access, and our use of Terraform and Kubernetes,” stated Cloudflare.
“A small number of the repositories contained encrypted secrets which were rotated immediately even though they were strongly encrypted themselves.”
Then, it says that the threat actor tried, but was unable, to “access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.”
One access token and three service account credentials connected to Atlassian Bitbucket, Amazon Web Services (AWS), Moveworks, and Smartsheet were taken after Okta’s support case management system was hacked in October 2023, making the attack possible.
Acknowledging that it had assumed these credentials were not in use, Cloudflare had neglected to rotate them.
The business added that on November 24, 2023, it took action to cut off any harmful connections coming from the threat actor. CrowdStrike, a cybersecurity company, was also involved to conduct an impartial analysis of the incident.
“Our Atlassian environment was the only production system that the threat actor was able to access with the credentials they had acquired. It appears they were searching for information regarding the design, security, and administration of our worldwide network, according to an analysis of the wiki sites they visited, bug database problems, and source code repositories, according to Cloudflare.