Cloudflare hacked using stolen OKTA auth tokens
Cloudflare disclosed today they were attacked and breached using stolen OKTA auth tokens which led to access of their self-hosted internal Jira server:
It announced a security breach in its internal Atlassian server by a 'nation-state' attacker. The breach involved unauthorized access to Cloudflare's Confluence wiki, Jira bug tracking system, and Atlassian Bitbucket source code management system.
The attacker initially breached Cloudflare's self-hosted Atlassian server on November 14, moving on to access the Confluence and Jira systems after a period of reconnaissance.
Cloudflare explained, "On November 22, the attacker re-engaged, securing persistent access to our Atlassian server through ScriptRunner for Jira, accessed our Atlassian Bitbucket-based source code management system, and attempted to infiltrate a console server. This server was linked to a data center in São Paulo, Brazil, which Cloudflare had not yet launched."
The intrusion was facilitated by the use of one access token and three service account credentials previously stolen in an incident tied to the Okta breach from October 2023, which Cloudflare had not updated among the thousands compromised during the Okta incident.
Cloudflare identified the unauthorized activities on November 23, effectively blocking the attacker's access on the morning of November 24. The company's cybersecurity forensics team commenced a thorough investigation into the breach on November 26.