Cloudflare Falls Victim to Okta Breach, Atlassian Systems Cracked

  /     /     /  
Publicated : 23/11/2024   Category : security


Cloudflare Falls Victim to Okta Breach, Atlassian Systems Cracked


The cyberattackers, believed to be state sponsored, didnt get far into Cloudflares global network, but not for lack of trying.



Cloudflare was a victim of the wide-ranging Okta supply-chain campaign last fall, with a data breach impacting its Atlassian Bitbucket, Confluence, and Jira platforms beginning on Thanksgiving Day.
Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation-state attacker with the goal of obtaining persistent and widespread access to Cloudflares global network, the Internet security and DDoS protection company said in a
blog on the Okta-related cyber incident
, published yesterday.
Cloudflare worked with CrowdStrike and was able to determine that, after initial reconnaissance work, cyberattackers accessed its internal wiki (Confluence) and bug database (Jira) before establishing persistence on its Atlassian server. From there, the perpetrators poked around for places to pivot into, successfully puddle-hopping into the Cloudflare source code management system (Bitbucket) and an AWS instance.
The analysis showed that the cyberattackers were looking for information about the configuration and management of our global network, and accessed various Jira tickets ... relating to vulnerability management, secret rotation, MFA bypass, network access, and even our response to the Okta incident itself.
But they were largely shut out of other systems they tried, like a console server that had access to a dormant data center in São Paulo.
In all, the unknown assailants accessed some documentation and a limited amount of source code, but no customer data or systems, according to Cloudflare, thanks to network segmentation and the implementation of a zero-trust authentication approach that limited lateral movement.
Nonetheless, the firm erred on the side of caution: We undertook a comprehensive effort to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, performed forensic triages on 4,893 systems, reimaged and rebooted every machine in our global network including all the systems the threat actor accessed and
all Atlassian products
(Jira, Confluence, and Bitbucket).
This…attack on one of the largest [software-as-a-service] companies…severely highlights the risks of supply chain attacks,” says Tal Skverer, research team lead for Astrix Security. In this breach, we again see how non-human access is abused by attackers to achieve high privilege access to internal systems which goes unmonitored. We also see how attackers are targeting both cloud, SaaS and also on-prem solutions to expand their access.
In October, Okta, the identity and access management services provider, disclosed that its
customer support case management system was compromised
, exposing sensitive customer data including cookies and session tokens, usernames, emails, company names, and more. Initially the company said that
less than 1% of its customers
were affected (134 in all), but in late November the company
widened the number to a staggering 100%
.
They [achieved compromise] by using one access token and three service account credentials that had been taken, and that we failed to rotate, after the Okta compromise of October 2023, according to Cloudflare. All threat actor access and connections were terminated on November 24 and CrowdStrike has confirmed that the last evidence of threat activity was on November 24 at 10:44.
An Okta spokesperson tells Dark Reading: This is not a new incident or disclosure on the part of Okta. On Oct. 19, we notified customers, shared guidance to rotate credentials, and provided indicators of compromise (IoCs) related to the October security incident. We cant comment on our customers security remediations.

Last News

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cloudflare Falls Victim to Okta Breach, Atlassian Systems Cracked