Cloudflare’s Server Hacked Using Leaked Access Token

Cloudflare discovered a threat actor on the self-hosted Atlassian server on November 23, 2023. The attack was launched with the use of one stolen access token and three compromised service account credentials that were neglected to change following the October 2023 Okta compromise.

To analyze the incident, the security team engaged the help of CrowdStrike’s Forensic team. On November 24, all connections and access for threat actors were cut off.

“We want to emphasize to our customers that no Cloudflare customer data or systems were impacted by this event,” according to Cloudflare’s blog.

“We took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code.”

Overview of the Incident

Threat actors conducted a survey from November 14 to November 17, after which they gained access to their internal wiki (powered by Atlassian Confluence) and bug database (powered by Atlassian Jira).

On November 20 and 21, they detected further access indicating they may have returned back to test access to ensure they had connectivity.

On November 22, they made a return visit and used ScriptRunner for Jira to gain persistent access to the Atlassian server. 

They also gained access to the source code management system, which uses Atlassian Bitbucket, and made an unsuccessful attempt to access a console server that was connected to the data center in São Paulo, Brazil, where Cloudflare was still testing.

“We failed to rotate one service token and three service accounts (out of thousands) of credentials that were leaked during the Okta compromise,” the company said.

One is allowed to access the Atlassian system remotely with a Moveworks service token. The second credential was a service account used by the SaaS-based Smartsheet application that had administrative access to the Atlassian Jira instance.

The third credential was a Bitbucket service account that was used to access our source code management system; the fourth was an AWS environment that had no access to the global network and no customer or sensitive data.

According to information provided to Cyber Security News, the attack was likely carried out by a nation-state attacker seeking continuous, broad access to Cloudflare’s global network.

Upon examining the wiki pages they visited, bug database issues, and source code repositories, it seems they were searching for details regarding the architecture, security, and management of the company’s worldwide network—possibly to establish a stronger foothold.

Notably, over 130 IT access management biz clients were affected by the Okta security breach that occurred in October. Among those impacted was Cloudflare, which was also impacted in 2022 due to a further Okta intrusion.

The company moved a large percentage of its technical staff inside and outside the security team to focus on a single project—the efforts to address the incident known as “Code Red.” 

 “We undertook a comprehensive effort to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, performed forensic triages on 4,893 systems, reimaged and rebooted every machine in our global network including all the systems the threat actor accessed and all Atlassian products (Jira, Confluence, and Bitbucket)”, the company said.

The main goals were to confirm that the threat actor could not enter the environment and to make sure that all controls in the environment were strengthened, verified, and corrected.