Cloudflare has revealed that it was the target of a likely nation-state attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.
The intrusion, which took place between November 14 and 24, 2023, and detected on November 23, was carried out “with the goal of obtaining persistent and widespread access to Cloudflare’s global network,” the web infrastructure company said, describing the actor as “sophisticated” and one who “operated in a thoughtful and methodical manner.”
The threat actor is then said to have unsuccessfully attempted to “access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.”
The attack was accomplished by making use of one access token and three service account credentials associated with Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet that were stolen following the October 2023 hack of Okta’s support case management system.
“The only production systems the threat actor could access using the stolen credentials was our Atlassian environment. Analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears they were looking for information about the architecture, security, and management of our global network,” Cloudflare said.
Source: https://thehackernews.com/