Cloudflare, a well-known provider of internet infrastructure, recently disclosed a significant security breach that occurred on Thanksgiving Day, November 23, 2023. The breach was identified when an unauthorized individual gained access to Cloudflare’s self-hosted Atlassian server, prompting a thorough investigation and response from the company’s security team.

According to Cloudflare, the threat actor behind the attack was highly sophisticated and likely affiliated with a nation-state. They operated with a deliberate and systematic approach. The attacker exploited credentials that were stolen during the Okta breach in October 2023. Specifically, they utilized one access token and three service account credentials that had not been rotated, as they were mistakenly believed to be inactive.

The timeline of the security incident began with the compromise of Okta on October 18, 2023. Despite initial attempts by the threat actor to access Cloudflare’s systems, these were successfully thwarted. However, on November 14, the attacker resumed their activities, conducting reconnaissance and gaining access to Cloudflare’s internal wiki and bug database. The intrusion escalated on November 22, when the threat actor established persistent access to the Atlassian server, infiltrated the source code management system, and attempted to access a console server in São Paulo, Brazil.

Upon discovering the presence of the threat actor, Cloudflare promptly took action by initiating a comprehensive remediation effort known as “Code Red” on November 27. This effort involved a holistic approach to strengthen and remediate controls within the environment. Measures taken included rotating over 5,000 production credentials, physically segmenting test and staging systems, conducting forensic triages on 4,893 systems, and implementing a global reimaging and rebooting process.

The primary target of the threat actor was Cloudflare’s Atlassian environment, specifically Confluence, Jira, and Bitbucket. The attacker managed to gain access to 120 code repositories, with a specific interest in information related to network configuration, backups, identity management, remote access, and the utilization of Terraform and Kubernetes. While 76 repositories were only viewed, the company treated them as potentially exfiltrated, particularly those that contained encrypted secrets.

Cloudflare assured its customers that the incident had an extremely limited impact on its operations. This was due to the robust access controls, firewall rules, and the implementation of strong security keys through their Zero Trust tools. These measures effectively restricted the threat actor’s ability to move laterally within Cloudflare’s systems. Importantly, no customer data, global network systems, SSL keys, or other critical configurations were compromised.

The security breach at Cloudflare during Thanksgiving 2023 highlights the evolving tactics employed by sophisticated threat actors. The company attributes the attack to a likely nation-state actor. Cloudflare’s transparent disclosure and proactive response underscore the significance of continuous security measures and their commitment to safeguarding customer data and infrastructure. This incident serves as a reminder of the ever-present cybersecurity challenges and the ongoing efforts required to maintain resilience against such sophisticated threats.