In a not-so-surprising turn of events, one of the victims in Okta’s supply chain attack reveals further exploits. Cloudflare recently reported that their entire Atlassian suite – Bitbucket, Jira and Confluence were breached back in November by the same threat actor that breached Okta’s support systems.
In this article we will cover what happened in this breach, and how Astrix can help with such attacks.
Register for the live workshop: How attackers exploit non-human access
Supply chain attacks involve a compromised vendor that’s been breached, and the data stolen is then used to compromise the vendors’ customers. In this case, attackers breached Okta’s support ticket system using a compromised service account. From there the attackers stole HAR files uploaded by Okta’s customers, which contain customers’ credentials.
Cloudflare, being an Okta customer, responded to the initial breach by rotating 5000 exposed credentials. Sadly, their efforts fell short. In an extensive report, Cloudflare describes how a few weeks after the incident, the Okta attackers used two credentials that were not rotated to compromise their Atlassian suite: A token and service account credentials, both belonging to integrations within Cloudflare’s Atlassian environment, and were used to gain administrative access to Cloudflare’s Jira, Confluence and Bitbucket.
The compromised production Atlassian suite contained Cloudflare’s internal Confluence wiki (14,099 pages), Jira bug tracking (2M tickets) and Bitbucket source code (11,904 repositories), all of which the attackers had access to. Cloudflare shares how the attackers tried using the information about Cloudflare’s internal systems, as well as credentials leaked through production source code to laterally move within their systems into AWS tenants and on-premise servers. Thankfully, Cloudflare’s Zero-Trust policy successfully blocked these efforts.
This is a devastating attack on one of the largest SaaS companies, and severely highlights the risks of supply chain attacks. Although not initially their fault, Cloudflare’s most sensitive data was leaked.
In this attack, we see again how attackers abuse non-human access, which usually goes unmonitored, to achieve high privilege access to internal systems. Another noteworthy point is that the attackers targeted Cloud, SaaS and also on-prem solutions to expand their access. This emphasizes the growing need for a holistic approach to securing non-human identities across the entire organization.
As part of the IR efforts after the Okta breach, the Cloudflare security team worked extensively to identify and rotate all compromised credentials. Alas, they missed 4 credentials – one access token and three service accounts credentials, which the threat actors used to exfiltrate Cloudflare’s Atalssian environments. Cloudflare mentions in their report that their existing solutions failed to find these unrotated credentials, which is a testament to our age-old saying – current solutions are simply not built for NHI threats.
So here is how Astrix can help with such supply chain exploits:
To chat with our security experts on how we can help you, schedule a time with us.
The post Breach analysis: Cloudflare falls victim to Okta attack appeared first on Astrix Security.
*** This is a Security Bloggers Network syndicated blog from Astrix Security authored by Danielle Guetta. Read the original post at: https://astrix.security/breach-analysis-cloudflare-falls-victim-to-okta-attack/