Cloudflare Security Breach
High-Level Summary of the Security Advisory
Cloudflare, Inc. is a connectivity cloud company comprising a vast array of servers to enhance the security, performance, and reliability of all Internet-connected entities. Headquartered in San Francisco, California, Cloudflare provides content delivery network services, cloud cybersecurity, DDoS mitigation, and ICANN-accredited registration services.
On Thanksgiving Day, November 23, 2023, Cloudflare detected a threat actor on their self-hosted Atlassian server. Their security team initiated an investigation, cut off the threat actor’s access, and engaged CrowdStrike's Forensic team for an independent analysis on November 26, 2023.
On January 31, 2024, CrowdStrike completed its investigation, and Cloudflare published the details of this security incident.
As per the advisory, in October 2023, Cloudflare experienced a security incident resulting from a compromise of Okta's systems, leading to a threat actor gaining access to certain credentials. Cloudflare identified that they failed to rotate one service token and three service accounts of credentials that were leaked during the Okta compromise, as initially they were believed to be unused.
According to Cloudflare's logs, the threat actor began probing on November 14, 2023, conducting reconnaissance. The threat actor managed to access Cloudflare's isolated AWS environment for Apps, but couldn't reach the global network or customer data. By November 16, the threat actor gained access to Atlassian Jira and Confluence, exploring network details and Jira tickets, and also creating a disguised Atlassian user account for persistent access. On November 22, the threat actor installed the Sliver Adversary Emulation Framework, gaining continuous access to Cloudflare's Atlassian server.
Cloudflare's security team, alerted on November 23, swiftly deactivated accounts and implemented measures, successfully terminating the threat actor's access by November 24. Details of the sequence of events can be found in the security advisory.
While the operational impact is deemed minimal, the severity arises from a threat actor using stolen credentials to access the Atlassian server, reviewing limited documentation and source code. The collaboration of Cloudflare with industry and government colleagues led to the belief that the attack was orchestrated by a nation-state actor, aiming for persistent and widespread access to Cloudflare's global network.
Should I be concerned?
Maybe. It depends on if you have a relationship with Cloudflare. Click on the link below to find out if you have a relationship with this vendor. If you do, follow the recommendations below.
Note: this link specifically references vendor directory records. You may also want to search your Relationship List for “Cloudflare” to confirm.
What to do if you or your vendors have an active relationship with Cloudflare
As stated in the advisory, Cloudflare promptly limited the impact, secured systems, comprehended the threat actor's access, and addressed immediate priorities like mass credential rotation.
Cloudflare emphasized that there was no impact on their customer data or systems. No services were implicated, and no changes were made to their global network systems or configuration. Cloudflare collaborated with CrowdStrike’s Forensic team to conduct an independent analysis and confirmed that all threat actor access was terminated by November 24, 2023.
Below are the Indications of Compromise (IOCs) observed by Cloudflare regarding this threat actor. Cloudflare released them to assist other organizations, particularly those potentially affected by the Okta breach, in scrutinizing their logs to ensure the same threat actor did not compromise their systems.
Indicator | Indicator Type | SHA256 | Description |
193.142.58[.]126 | IPv4 | N/A | Primary threat actor Infrastructure, owned by M247 Europe SRL (Bucharest, Romania) |
198.244.174[.]214 | IPv4 | N/A | Sliver C2 server, owned by OVH SAS (London, England) |
idowall[.]com | Domain | N/A | Infrastructure serving Sliver payload |
jvm-agent | Filename | bdd1a085d651082ad567b03e5186d1d4 6d822bb7794157ab8cce95d850a3caaf | Sliver payload |
We suggest maintaining close communication with Cloudflare, Inc. and staying informed about any subsequent updates or actions that may arise.
--------------------------------------------------------------
We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback please let us know at product@visotrust.com.
For any additional questions, please reach out to your customer success manager.
Stay ahead of the curve with our Public Risk Notice Alerts!
Get the latest information and news to your inbox on cybersecurity breaches and third-party vendor risks that could impact your organization.
Sign up today to fortify your organization's security.
The VISO TRUST team
—----------—----------—-----
