Last fall, Cloudflare announced it mitigated an attempted cyberattack stemming from the infamous Okta breach.
Cloudflare disclosed in a blog post that it had been breached by an unnamed nation-state threat actor using an access token and three service account credentials that were stolen during the Okta breach in October.
Cloudflare initially detected the attacker in its self-hosted Atlassian server on Thanksgiving Day and began investigating the breach, with later assistance from CrowdStrike.
The attack began on Oct. 18 and stemmed from the most recent Okta breach, in which a threat actor used stolen credentials to access a customer support case management system that contained HTTP Archive files.
The threat actor used session cookies contained in those files to impersonate valid users at several Okta customers, including Cloudflare, BeyondTrust and 1Password.
Cloudflare initially believed it had prevented the attempted attack.
Cloudflare said its Security Incident Response Team detected the intrusion and contained the attacker.
In Thursday's disclosure, Cloudflare executives admitted the threat actor had moved beyond the Okta instance and gained access to its self-hosted Atlassian server.
Cloudflare said the service token and service account credentials were not rotated because it was mistakenly believed they were unused.
TechTarget Editorial contacted Cloudflare for further comment, but the company had not responded at press time.
Cloudflare said the service token was for Moveworks, an AI startup, that provided remote access to the Atlassian server.
The third was for an AWS environment used for the Cloudflare Apps marketplace.
Cloudflare emphasized that Moveworks, Smartsheet and AWS were not at fault for the breach.
After obtaining the token and service credentials on Oct. 18, the threat actor appeared to pause activity before performing reconnaissance on Cloudflare systems on Nov. 14.
The threat actor tried to move laterally outside of the Atlassian server and attempted to access a non-production console server in Cloudflare's data center in São Paulo, Brazil, but those efforts failed.
The following day, Cloudflare removed the Sliver deployment and eliminated all the threat actor's access.
Cloudflare also reimaged and rebooted every machine in its global network and conducted forensic examinations on 4,893 systems.
One notable effort under Code Red involved Cloudflare's São Paulo data center, which was not yet in production.
Even though the threat actor failed to access the console server, Cloudflare returned all equipment in the data center to its manufacturer.
Cloudflare's breach disclosure is the latest in a series of incidents tied to Okta.
This Cyber News was published on www.techtarget.com. Publication date: Fri, 02 Feb 2024 19:43:03 +0000