Vorlon Blog

Cloudy With a Chance of Breaches

Written by Lauren Lee | Feb 15, 2024 5:00:00 PM

Introduction

Cloudflare, our beloved internet guardian, found themselves in a bit of a digital pickle, not once, but twice, with echoes of Okta's own “oopsie” (breach) moment.

A Trip Down Memory Lane

Let’s recap what happened to Okta last year. 

Okta, our go-to for digital identity safeguarding, hit a bit of a double whammy with security snafus last year. They dealt with sneaky intruders swiping sensitive info not once, but twice. This stirred up quite the buzz about beefing up security measures and had everyone questioning their multi-factor authentication game. 

The fallout? A bit of a ding to Okta's wallet and rep. But it's not just an Okta tale—1Password, Cloudflare, and BeyondTrust felt the tremors too and jumped into action to shield their user data. 

 

Cloudflare's Close Call

Unfortunately, that was not the final chapter for Cloudflare. Cloudflare recently shared another whoops moment when a suspected nation-state baddie snuck into their digital backyard. This wasn’t just any intruder; they were after the digital crown jewels - Cloudflare's internal Atlassian server. This server is like the brain of the operation, housing their Confluence wiki, Jira bug database, and Bitbucket source code management.

The saga began on November 14, when the cyber intruders first tiptoed into Cloudflare's Atlassian server. They did a little digital reconnaissance before making themselves cozy on November 22, setting up camp and gaining access to all sorts of digital nooks and crannies. They even tried (and failed, thankfully) to sneak into a console server linked to Cloudflare's not-yet-active São Paulo data center.

 

The Okta Connection

Now, how did these digital ninjas get in, you ask? Well, they used an access token and three service account credentials that were previously nabbed during Okta's breach back in October 2023. Cloudflare, it turns out, unfortunately missed rotating these credentials among the thousands leaked during the Okta compromise earlier in the year.

 

Quick on Their Feet

Cloudflare caught on to the shenanigans by November 23 and quickly cut off the attackers’ access. They then went into full-on detective mode, rotating over 5,000 production credentials, checking thousands of systems, and giving their global network, including all Atlassian servers, a thorough scrub.

The attackers had a go at Cloudflare's Brazil data center too, but no dice. Cloudflare made sure it was locked up tight by returning all equipment to manufacturers to double-check for security.

 

All’s Well That Ends Well

By January 5, Cloudflare wrapped up their remediation efforts but are still on their toes, working on software hardening and keeping a vigilant eye on credentials and vulnerabilities. The good news? Cloudflare assures that no customer data or systems were compromised, nor were their services or global network systems affected.

 

Moral of the Story

So, what’s the key takeaway? Keep a close eye on your API activity and don't let credentials get stale! Regular updates and monitoring aren't just good practice—they're essential for keeping our digital doors locked tight. Staying sharp and rotating those keys regularly is the secret sauce to cyber safety.