AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Cyber attack on Cloudflare by alleged state APT

Emergency intervention and investigation into the operations of an APT against the network security giant

Cloudflare suffered an advanced cyberattack that breached its Atlassian systems, resulting in the theft of documents and source code. They responded by replacing credentials and isolating systems.

This pill is also available in Italian language

Cloudflare recently suffered a highly specialized cyber incursion, the origin of which is alleged to be a state-led Advanced Persistent Threat (APT). The attack, which occurred between November 14 and 24, 2023 and identified on the 23rd of the same month, involved a breach of the entity's Atlassian systems, resulting in improper access to internal documents and portions of the source code.

Immediate interventions in response to the intrusion

In response to the attack, Cloudflare implemented emergency countermeasures, including replacing more than 5,000 operational credentials and physically isolating its testing and staging environments. A thorough forensic examination was conducted on 4,893 devices, followed by rebooting each individual unit into its global network infrastructure. The initial impact saw the advancement of a methodical attack: the creation of an illegitimate Atlassian account and the acquisition of a lasting presence within the servers, and then penetrating the Bitbucket system by operating the adversary simulation software Sliver.

Damage assessment and preventive measures

According to assessments, the attacker had visual access to approximately 120 repositories, proceeding to exfiltrate 76. The latter included data related to backup processes, network configuration and infrastructure maintenance, as well as corporate identity and tools such as Terraform and Kubernetes. Despite the presence of encrypted secrets within some repositories, the cryptographic keys were promptly updated as a precautionary measure. It should be noted that attempts by the APT to access a console in the non-operational data center in São Paulo were unsuccessful.

Cloudflare's organized response to the compromise

The perimeter APT compromised through credentials obtained from a previous October 2023 breach of the Okta support case management system was limited to Cloudflare's Atlassian ecosystem. By analyzing the attacker's activities across wiki pages, bug tracking database reports, and source codes examined, a clear interest in the architectural details and security mechanisms of Cloudflare's network emerges. The organization promptly neutralized each malicious connection on November 24 and enlisted the support of cybersecurity firm CrowdStrike for an in-depth investigation into how the attack occurred.

Follow us on Instagram for more pills like this

02/04/2024 22:08

Marco Verro

Last pills

Google Cloud security predictions for 2024: how AI will reshape the cybersecurity landscapeFind out how AI will transform cybersecurity and address geopolitical threats in 2024 according to Google Cloud report

AT&T: data breach discovered that exposes communications of millions of usersDigital security compromised: learn how a recent AT&T data breach affected millions of users

New critical vulnerability discovered in OpenSSH: remote code execution riskFind out how a race condition in recent versions of OpenSSH puts system security at risk: details, impacts and solutions to implement immediately

Discovery of an AiTM attack campaign on Microsoft 365A detailed exploration of AiTM attack techniques and mitigation strategies to protect Microsoft 365 from advanced compromises