An October breach at Okta helped a hacker infiltrate internet infrastructure provider Cloudflare.“Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network,” the company said. On Thursday, Cloudflare disclosed the incident, which it uncovere on Nov. 23, Thanksgiving Day. The company has since completed its investigation, and found that the culprit accessed Cloudflare’s internal wiki, a bug database and a “limited amount of source code.” “Our security team immediately began investigating, cut off the threat actor’s access, and no Cloudflare customer data or systems were impacted,” the company said in the report. To confirm the findings, Cloudflare hired cybersecurity provider Crowdstrike.
This Tweet is currently unavailable. It might be loading or has been removed.
The company also traced the attack to single sign-on provider Okta exposing customer support records to the hacker weeks earlier. The stolen records included cookies and session tokens for Okta clients, which can be exploited to impersonate valid users. In October, Cloudflare said it initially thwarted the hacker from trying to access its systems. To stamp out the threat, the company was also set to terminate all the session tokens exposed in the Okta breach. But on Thursday, Cloudflare revealed that “unfortunately, we failed to rotate one service token and three service accounts (out of thousands) of credentials that were leaked during the Okta compromise.” “The one service token and three accounts were not rotated because mistakenly it was believed they were unused. This was incorrect and was how the threat actor first got into our systems and gained persistence to our Atlassian products,” the company’s report added. With access achieved, the hacker began probing Cloudflare’s systems on Nov. 14. But the compromised session tokens only gave the attacker limited access to company tools, such as Cloudflare’s internal wiki and bug database, hosted on its Atlassian servers. All other attempts to access Cloudflare’s dashboard and Okta instance were denied. On Nov. 22, the hacker also “tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.” Two days later, the company then booted the hacker out of its systems. “Analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears they were looking for information about the architecture, security, and management of our global network; no doubt with an eye on gaining a deeper foothold,” Cloudflare said.
Recommended by Our Editors
In response, the company launched a “Code Red” effort to bolster its security protocols. This has included updating over 5,000 individual production credentials and reinstalling “every machine in our global network including all the systems the threat actor accessed and all Atlassian products.” “The immediate ‘Code Red’ effort ended on January 5, but work continues across the company around credential management, software hardening, vulnerability management, additional alerting, and more,” the report added. The company has also been reviewing whether the exposed source code contained vulnerabilities. Much of the code includes details of how Cloudflare’s global network is configured, and how accounts are managed. However, the company says much of Cloudflare’s source code has already been made open to the public. “So our focus was not on someone having access to the source code, but whether that source code contained embedded secrets (such as a key or token) and vulnerabilities,” the company said. The report ends by offering “indications of compromise” other clients of Okta can use to determine if their own systems may have come under assault. Back in November, Okta said the original breach affected 134 corporate customers.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
