Cloudflare Hacked Using Auth Tokens Stolen in Okta Attack
Cloudflare's security breach highlights the importance of regular credential rotations and proactive security measures to protect against data breaches.
Medusa
7 Mins
Cloudflare revealed that its internal Atlassian server experienced a breach perpetrated by a suspected 'nation-state attacker', resulting in unauthorized access to its Confluence wiki, Jira bug database, and Bitbucket source code management system.
The threat actor initially infiltrated Cloudflare's self-hosted Atlassian server on November 14, proceeding to gain entry into the company's Confluence and Jira systems after conducting a reconnaissance phase.
Cloudflare Hacked: What Happened?
In November, Cloudflare encountered a security breach, allowing attackers persistent access to their Atlassian server and source code management system. Leveraging stolen access tokens and service account credentials from a previous Okta breach, the attackers attempted unauthorized entry into Cloudflare's infrastructure, including a data center in São Paulo. Cloudflare swiftly identified and contained the breach, conducting thorough forensic analysis, rotating over 5,000 production credentials, and reimagining compromised systems.
Who was affected?
Cloudflare was the main victim of the breach, which involved unauthorized access to their Atlassian server, Confluence, and Jira systems.
Were the customers affected?
According to Cloudflare, the breach had no impact on customer data, systems, services, global network systems, or configuration.
Role of Access Token
An access token is a security token that is used to authenticate and authorize access to protected resources. When a client application wants to access an API, it first needs to obtain an access token from the API provider. This token is then included in the API requests to prove the client's identity and permissions.
An authorization server typically issues access tokens and have an expiration time. They are used in authorization protocols like OAuth and provide a secure way for clients to access resources on behalf of a user without exposing their credentials.
The attacker in the Cloudflare breach exploited old access tokens obtained from a previous Okta breach. In this case, the attacker leveraged stolen access tokens and service account credentials to gain unauthorized entry into Cloudflare's infrastructure. By using these tokens, the attacker was able to bypass authentication mechanisms and gain persistent access to Cloudflare's Atlassian server and source code management system.
Why did it happen?
To understand why it happened, you need to understand credential rotations. Rotating credentials refers to the process of regularly changing or updating the access credentials used to authenticate and authorize access to a system or service. This is done as a security measure to mitigate the risk of unauthorized access in case credentials are compromised. By frequently rotating credentials, organizations ensure that even if a credential is stolen or leaked, it becomes invalid after a certain period of time. This reduces the window of opportunity for attackers to exploit it.
In Cloudflare's case, they made a mistake by not rotating the credentials, which allowed the attacker to use credentials from the Okta breach in Cloudflare's systems leading to another breach.
Here's how you can perform credential rotation for your organization:
Identify Credentials: Determine which credentials need updating, such as passwords, API keys, or access tokens.
Generate New Credentials: Create new credentials to replace the old ones.
Update Systems: Apply the new credentials to relevant systems and applications. For example, create new passwords for user accounts or generate new API keys for accessing services.
Enforcing Access Controls: Implement access controls to ensure only authorized individuals or systems have access to the new credentials. This may include role-based access control, multi-factor authentication, or other security measures.
Repeat Regularly: Maintain a regular schedule for this process to stay ahead of potential security threats.
Cloudflare Response
“Even though we understand the operational impact of the incident to be extremely limited, we took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code," said Prince, Graham-Cumming, and Bourzikas.
How Akto can Help?
This type of situation arises when the authentication is not robust. Attackers can exploit weak or broken authentication in various ways, making it crucial to test for vulnerabilities. In this case, the attacker was able to exploit the Cloudflare services by using access tokens.
Akto, a powerful tool for vulnerability testing, includes a feature called the test library that can help you identify vulnerabilities. Check out this video about BUA (Broken Authentication) to see how it works!
Mitigations
Cloudflare has undertaken several measures. Firstly, the company promptly responded to the breaches by swiftly rotating production credentials, segregating systems, conducting forensic analysis, and reimaging affected machines. Additionally, Cloudflare has emphasized the importance of proactive security measures, such as employee training to prevent phishing attacks and the use of FIDO2-compliant security keys for enhanced authentication security. Furthermore, the company has collaborated with industry and government partners to analyze the nature of the attacks and enhance its defensive strategies. Cloudflare's proactive approach to security incidents demonstrates its commitment to safeguarding its systems and data against future threats.
Conclusion
The Cloudflare security breach emphasized the need for regular credential rotations and proactive security measures to prevent data breaches. Cloudflare promptly responded by analyzing the breach, changing production credentials, and improving compromised systems.
Keep reading
API Security
3 minutes
What is API Discovery?
API Discovery helps identify, map, and manage APIs within an organization, ensuring security, performance, and seamless integration across systems.
API Security
5 minutes
Top 10 DAST Tools in 2024
DAST tools secure web apps by identifying vulnerabilities through automated security testing.
API Security
8 minutes
Security Information and Event Management (SIEM)
SIEM aggregates and analyzes security data across an organization to detect, monitor, and respond to potential threats in real time.
Experience enterprise-grade API Security solution