Cloudflare revealed on Thursday its global network was infiltrated by a sophisticated threat actor, discovered by IT teams on Thanksgiving day last year.

The global IT services and cloud provider said the likely nation-state actor was detected on Cloudflare’s self-hosted Atlassian server on November 23rd, 2023, but had been moving around its systems for nearly two weeks prior.

Within three days, engineering teams were able to cut off access to the threat actor, who was “operating in a thoughtful and methodical manner,” according to the mammoth IT firm.

Cloudflare stressed that at no point was customer data or systems impacted by the security event.

“Because of our access controls, firewall rules, and use of hard security keys enforced using our own zero trust tools, the threat actor’s ability to move laterally was limited,” the San Francisco-based company said on February 1st.

“No services were implicated, and no changes were made to our global network systems or configuration,” it reiterated.

Okta breach a factor

Cloudflare said the security lapse was related to last fall’s massive Okta breach, in which attackers compromised swaths of sensitive customer data.

Some of that data was later confirmed to include login credentials from many of its enterprise support services customers, including big names like Zoom, Sonos, Bain & Company, T-Mobile, Hewlett Packard, and others.

Ironically, Cloudflare was one of the first few companies to publicly announce it was affected by the Okta incident back on October 18th – clearly less than pleased with how the identity and access management company was handling its in-house security.

The Cloudflare attacker apparently used those stolen Okta credentials to gain entry into the network’s Atlassian server in November, accessing “some documentation and a limited amount of source code.”

About their own security blunder, Cloudflare said the compromised login credentials "were all meant to be rotated," but "mistakenly," one service token and three service accounts were not rotated due to IT teams believing those accounts were inactive.

Okta response to Cloudflare’s lengthy blog post about the breach and claims it was now a two-time victim of an Okta compromise?

“This not a new incident or disclosure on the part of Okta,” an Okta spokesperson told Cybernews on Friday.

“On October 19th, we notified customers, shared guidance to rotate credentials, and provided indicators of compromise (IoCs) related to the October security incident,” the Okta spokesperson said.

“We can't comment on our customers' security remediations,” Okta's spokesperson noted.

Friday's response from Okta likely refers to Cloudflare's self-admission that the November breach was caused by its own lack of follow-through on Okta’s October recommendations to rotate all credentials.
Advanced persistent threat (APT)

Besides infiltrating Atlassian products like Jira and Confluence, the threat actor was able to breach Cloudflare’s AWS environment and its Cloudflare Apps Marketplace, as well as a Bitbucket service account.

Cloudflare found the attacker used a Moveworks service token to authenticate its gateway, then gained access to a Smartsheet service account, which got the attacker into the Atlassian suite.

To throw off suspicion, the attacker created his own Atlassian account using Smartsheet and gave themselves administrative privileges.

It was then that Cloudflare teams were alerted to the attackers' presence.

Even so, the attacker was still able to install a Sliver framework, commonly used by cybercriminals to connect to a command and control center, and attempted – unsuccessfully – to access some of Cloudflare’s data centers, repositories, and its dashboard.

Randomly, the threat actor "searched the wiki for things like remote access, secret, client-secret, OpenConnect, and token," while also searching through roughly three dozen Jira tickets, Cloudflare said.

“The wiki searches and pages accessed suggest the threat actor was very interested in all aspects of access to our systems: password resets, remote access, configuration, our use of [password complexity tool] Salt, but they did not target customer data or customer configurations,” the company said.

Cloudflare said after a thorough investigation with outside forensic specialists that the "last evidence of any threat activity" was documented on November 24th.

The company credited its zero-trust security strategy as the reason the attacker was unable to breach other more sensitive parts of the network.

“It’s like bulkheads in a ship where a compromise in one system is limited from compromising the whole organization,“ Cloudflare said.

Once the attacker was completely expelled from Cloudflare servers, the IT team said it went “code red” to go through and beef up security on all its systems.

Atlassian recently announced it would retire its self-managed server and will only be offering its development and collaboration management services on the cloud.