Cloudflare hit by follow-on attack from previous Okta breach

Dive Brief:

An identity-based attack Cloudflare previously declared contained and unimpactful turned out to be quite the opposite. The threat actor that intruded Cloudflare’s Okta environment in mid-October regained access to some of the content delivery network’s systems in mid-November, the company said Thursday in a blog post.
The threat actor used one access token and three service account credentials Cloudflare failed to rotate after the environment was compromised by an early October attack against Okta, the company said. The Okta incident ultimately exposed data on all of the single sign-on provider’s customer support system clients.
“We want to emphasize to our customers that no Cloudflare customer data or systems were impacted by this event,” CEO Matthew Prince, CTO John Graham-Cumming and CSO Grant Bourzikas said in the blog post.

Dive Insight:

The follow-on attack at Cloudflare marked the continuation of a second compromise of Okta’s systems, which impacted Cloudflare. This exposure allowed a threat actor to gain access to some of Okta’s customers’ credentials, including Cloudflare’s.

The content delivery network and cybersecurity firm thwarted multiple attacks linked to Okta last year, including a breach of an Okta support engineer’s system in January 2022 and a phishing attack involving a spoofed Cloudflare Okta login page that three employees fell for in August 2022.

“The one service token and three accounts were not rotated because mistakenly it was believed they were unused. This was incorrect and was how the threat actor first got into our systems and gained persistence to our Atlassian products,” Cloudflare’s executives said in the blog post.

The threat actor, which Cloudflare and its incident response firm CrowdStrike believe to a nation-state attacker, accessed multiple Cloudflare systems including:

The company’s Atlassian server, which the threat actor searched to access Jira tickets about vulnerability management, secrets rotation, multifactor authentication bypass, network access and Cloudflare’s response to the Okta incident.
Cloudflare’s source code management system in Atlassian Bitbucket, including 120 code repositories, of which 76 were exfiltrated.
The company’s internal wiki on Atlassian Confluence.
An AWS environment used to power the Cloudflare Apps marketplace, which was segmented with no access to Cloudflare’s global network or customer data.

The threat actor started reconnaissance and gained access to Cloudflare’s systems on Nov. 14. Cloudflare was alerted to the threat actor’s presence on its systems on Nov. 23, and the company detected and deactivated multiple malicious accounts over the course of that day.

“All threat actor access and connections were terminated on Nov. 24 and CrowdStrike has confirmed that the last evidence of threat activity was on Nov. 24,” Cloudflare said.

Once the threat was contained and removed from Cloudflare’s environment, the company said it redirected significant technical staff resources to investigate the intrusion and harden its systems.

“Even though we believed, and later confirmed, the attacker had limited access, we undertook a comprehensive effort to rotate every production credential” spanning more than 5,000 individual credentials, Cloudflare said.

The company said it also physically segmented test and staging systems, performed forensic triages on 4,893 systems, and reimaged and rebooted every machine in its global network.

“We are confident that between our investigation and CrowdStrike’s, we fully understand the threat actor’s actions and that they were limited to the systems on which we saw their activity,” Cloudflare said.