Cloudflare hacked in Nov. 2023

Sicherheit (Pexels, allgemeine Nutzung)[German]US company Cloudflare, which provides a CDN, security services and DNS services, was hacked in November 2023. The attackers were able to access an Atlassian server using an authentication token and gain access to the Confluence wiki, the Jira bug database and the Bitbucket source code management system. It is assumed that it is state hackers who are responsible for the attack.


Advertising

Was macht Cloudflare?

Cloudflare offers numerous Internet-related services. Cloudflare provides a content delivery network, internet security services and distributed DNS (Domain Name System) services. The content delivery network then delivers websites from a hosting provider, for example, when a visitor accesses a website.

Hack in November 2023

Cloudflare, whose infrastructure is used to deliver many websites, announced here that it was the victim of a cyber attack in November 2023. No customer data was affected, assures the company, which has since forensically investigated the case.

On November 23, 2023, Thanksgiving Day, Cloudflare discovered a threat actor on its self-hosted Atlassian server. The internal security team immediately launched an investigation and blocked the threat actor's access. On Sunday, November 26, 2023, they then called in CrowdStrike's forensics team to conduct their own independent analysis. CrowdStrike completed its investigation, so the details will be published in a blog post.

Okta compromise and stolen access tokens

In October 2023, I described in the blog post Okta support system hacked with stolen credentials that the provider of authentication services in the cloud, Okta, had been hacked. Its support system was compromised using stolen credentials. The hack also affected 1Password (see Okta support hack also affects 1Password account).

From the Okta hack, the attackers probably captured an access token for Cloudflare access to the Atlassian server. The attackers used this access token and three service account credentials from the Okta compromise of October 2023 for the hack. Cloudflare was probably unable to swap these access tokens after the Okta hack.


Advertising

Access to the Atlassian server

According to the forensic analysis, a threat actor gained an overview between November 14-17, 2023 and then accessed the internal Cloudflare wiki. This uses Atlassian Confluence. The bug database (Atlassian Jira) was also accessed. On November 20 and 21, 2023, the forensic experts were able to detect further accesses. It is assumed that this was done to test access to ensure that a connection could be established.

On November 22, 2023, the attackers used ScriptRunner for Jira to establish permanent access to the Atlassian server. The attackers then gained access to the Cloudflare source code management system (which uses Atlassian Bitbucket) and unsuccessfully attempted to access a console server that did have access to the data center. But Cloudflare had not yet put this data center in São Paulo, Brazil, into operation.

On November 23, 2023, the attack was detected and measures were initiated to block the threat actor. According to CrowdStrike's analysis, all access and connections by the threat actor have been terminated since November 24. The last evidence of activity occurred on November 24 at 10:44 a.m. local time.

Further details on the analysis and the attack can be found in the Cloudflare blog post. Cloudflare assumes that state-sponsored hackers were involved in this security incident. This is concluded from the deliberate and methodical approach.


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).