UPDATED 19:15 EDT / FEBRUARY 01 2024

SECURITY

Cloudflare Atlassian server hacked by suspected nation-state attacker

Cloudflare Inc. disclosed today that one of its internal Atlassian servers was hacked by a suspected nation-state attacker in November and provided details of what occurred so others know the risks.

The hack in question was detected on Nov. 23, Thanksgiving Day in the U.S., with Cloudflare’s security team immediately cutting off the threat actor’s access and launching an investigation. Realizing that the breach was more than minor, CrowdStrike brought in its forensic team on Nov. 26 to perform an independent analysis.

The release today includes the findings from the forensic team’s report. The report found that between Nov. 14 and 17, a threat actor undertook reconnaissance and then accessed Cloudflare’s internal wiki, which uses Atlassian Corp.’s Confluence and its bug database, powered by Atlassian Jira. Further activity was found on Nov. 20 and 21, with the threat actor believed to have returned to test access to ensure they had connectivity.

The threat actor then returned on Nov. 22 and established persistent access to the Atlassian server using ScriptRunner for Jira, gained access to Cloudflare’s source code management system, which uses Atlassian Bitbucket, and tried unsuccessfully to access a console server with access to a data center that Cloudflare had not yet put into production in São Paulo, Brazil.

Where it gets interesting is how the threat actor gained access. It did so through one access token and three service account credentials that had been compromised in the October breach of Okta Inc. To its credit, Cloudflare admits it was a mistake, as it had failed to change the access following the Okta hack. All threat actor access and connections were then terminated on Nov. 24.

It is noted by Cloudflare that no customer data or systems were affected by the event. Cloudflare’s security, including access controls, firewall rules, hard security keys and zero trust tools, limited the attacker’s ability to move laterally across the network. No services were interrupted and no changes need to be made to global network systems or configurations.

The only data the threat actor was able to access during that time was on the Atlassian server. It was found that the attacker was looking for information about the architecture, security and management of Cloudflare’s global network, likely looking for a way to gain a deeper foothold.

In response to the attack, Cloudflare has now, out of a sense of caution, rotated every production credential — more than 5,000 individual credentials — physically segment-tested all staging systems, performed forensic triages on 4,893 systems, and reimaged and rebooted every machine in its global network, including all Atlassian products — Jira, Confluence and Bitbucket.

“This was a security incident involving a sophisticated actor, likely a nation-state, who operated in a thoughtful and methodical manner,” Cloudflare concluded. “The efforts we have taken to ensure that the ongoing impact of the incident was limited and that we are well-prepared to fend off any sophisticated attacks in the future.”

Photo: HaeB/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.