Cyber attack on Cloudflare by alleged state APT
Emergency intervention and investigation into the operations of an APT against the network security giant
Cloudflare suffered an advanced cyberattack that breached its Atlassian systems, resulting in the theft of documents and source code. They responded by replacing credentials and isolating systems.
Cloudflare recently suffered a highly specialized cyber incursion, the origin of which is alleged to be a state-led Advanced Persistent Threat (APT). The attack, which occurred between November 14 and 24, 2023 and identified on the 23rd of the same month, involved a breach of the entity's Atlassian systems, resulting in improper access to internal documents and portions of the source code.
Immediate interventions in response to the intrusion
In response to the attack, Cloudflare implemented emergency countermeasures, including replacing more than 5,000 operational credentials and physically isolating its testing and staging environments. A thorough forensic examination was conducted on 4,893 devices, followed by rebooting each individual unit into its global network infrastructure. The initial impact saw the advancement of a methodical attack: the creation of an illegitimate Atlassian account and the acquisition of a lasting presence within the servers, and then penetrating the Bitbucket system by operating the adversary simulation software Sliver.
Damage assessment and preventive measures
According to assessments, the attacker had visual access to approximately 120 repositories, proceeding to exfiltrate 76. The latter included data related to backup processes, network configuration and infrastructure maintenance, as well as corporate identity and tools such as Terraform and Kubernetes. Despite the presence of encrypted secrets within some repositories, the cryptographic keys were promptly updated as a precautionary measure. It should be noted that attempts by the APT to access a console in the non-operational data center in São Paulo were unsuccessful.
Cloudflare's organized response to the compromise
The perimeter APT compromised through credentials obtained from a previous October 2023 breach of the Okta support case management system was limited to Cloudflare's Atlassian ecosystem. By analyzing the attacker's activities across wiki pages, bug tracking database reports, and source codes examined, a clear interest in the architectural details and security mechanisms of Cloudflare's network emerges. The organization promptly neutralized each malicious connection on November 24 and enlisted the support of cybersecurity firm CrowdStrike for an in-depth investigation into how the attack occurred.
Follow us on WhatsApp for more pills like this02/04/2024 22:08
Marco Verro