Cloudflare revealed that it was the subject of a probable attack by an unidentified nation, in which cybercriminals exploited stolen credentials to gain unauthorized access to the Atlassian server and, to cut a long story short, they managed to access extensive documentation and even the service's source code (although it was not taken All)making it essentially (at least in part) open source to someone unknown.
Probably when you have tried to access some site, you will have I've certainly noticed the name of this company in some cases, well it's important since Cloudflare manages many of the infrastructures that are behind many of the most popular sites on the internet.
Cloudflare's claims about the breach on their systems
The intrusion, which occurred between November 14 and 24, 2023 and was detected on November 23, was carried out “with the goal of gaining persistent and widespread access to Cloudflare's global network“, has declared the web infrastructure company, describing the actor as “sophisticated” and operating “in a thoughtful and methodical manner.”
As a precautionary measure, the company said it has moved over 5,000 manufacturing credentials and has physically isolated testing and staging systems, performed forensic triage on 4,893 systems, reset and rebooted every machine across its entire global network.
The incident involved a four-day reconnaissance period to access the Atlassian Confluence and Jira portalswhereupon the unknown attacker (or attackers) created a user account on the Atlassian platform and then established persistent access to the Atlassian server to ultimately gain access to the Bitbucket source code management system via the adversarial simulation framework Sliver.
What is known about this attack after the fake account was created is that Up to 120 code repositories were viewed, of which 76 were estimated to have been exfiltrated by the attacker.
“76% of the code repositories were almost entirely related to operating backups, configuring and managing the global networkhow identity works in Cloudflare, remote access, and our use of Terraform and Kubernetes“, said the same Cloudflare company, adding that “A small number of repositories contained encrypted secrets that were rotated immediately, even though they were already heavily encrypted.”
It is thought that the cybercriminal in question then unsuccessfully attempted to “access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil“.
The attack was carried out using an access token and three associated service account credentials Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet, stolen following the October 2023 hack of Okta's support case management system; Cloudflare acknowledged that it had not “moved” these credentials, mistakenly assuming they were not in use.
The company also stated that it has taken precise measures to interrupt all malicious connections originating from the cybercriminal (or cyber criminals) on November 24, 2023 and also brought in cybersecurity firm CrowdStrike to perform an independent assessment of the incident.
“The only production system that the threat actor could access using the stolen credentials was our Atlassian environment. Analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears they were looking for information about the architecture, security, and management of our global network“Cloudflare said.
#Cloudflare #documents #part #source #code #hacked
