Cloudflare Official Post: How your server was hacked in November and what it means for your business security
Cloudflare reported that its internal Atlassian server was hacked by an attacker suspected of countering the state. As a result of the incident, the Confluence wiki, the Jira bug database, and the Bitbucket source code management system were compromised.
Hacking Cloudflare's internal Atlassian server
Gaining access to systems
Hacker gained access to the company's Atlassian server for the first time Cloudflare November 14. Subsequently, he was able to penetrate the Confluence and Jira systems.
After this, on November 22, the attacker established permanent access to the Atlassian server using ScriptRunner for Jira. He also gained access to a source control system that used Atlassian Bitbucket. Attempts to access the console server associated with Cloudflare's data center in Sao Paulo, Brazil were unsuccessful.
said Cloudflare CEO Matthew Prince, CTO John Graham-Cumming and CISO Grant Burzikas.
Using Stolen Data
The attackers used an access token and credentials stolen from an earlier attack on Okta in October 2023. This data is linked to the cybersecurity systems of large corporations. Cloudflare was reportedly unable to recover data from this attack.
Incident detection and response
On November 23, Cloudflare detected malicious activity and immediately terminated access hacker. After this, the company's cybersecurity specialists began an investigation. Work to eliminate the consequences of the incident was completed on January 5.
The company says the breach did not impact customer data or systems . Services and network systems were also not affected.
Cloudflare believes that the attack was carried out by an attacker against a nation state in order to gain constant and widespread access to the company's global network. During the attack, the attackers sought information about the architecture, security and management of the Cloudflare network.
Answers to questions
What information did the attacker get when hacking the Cloudflare server?
The attacker gained access to the Confluence wiki, the Jira bug database, and Cloudflare's Bitbucket source code management system.
What methods did the attacker use to ensure constant access to the Atlassian server?
The attacker used ScriptRunner for Jira to establish persistent access to Cloudflare's Atlassian server.
What steps has Cloudflare taken to address the breach?
Cloudflare rotated all production credentials, physically segmented systems, performed forensic triage of systems, created new images, and rebooted all systems in the company's global network, including all Atlassian servers (Jira , Confluence and Bitbucket) and machines accessible to the attacker.
- Cloudflare is a security and web traffic optimization.
- Atlassian is a developer of software, including project and source code management systems.
- Confluence is a wiki platform used for collaboration on documentation.
- Jira is a project and bug management system.
- Bitbucket is a source code management system.