Cloudflare hacked using auth tokens stolen in Okta attack

pMicrosoft New critical Exchange bug exploited as zerodayppLockBit claims ransomware attack on Fulton County GeorgiappTransNorthern Pipelines investigating ALPHV ransomware attack claimsppMicrosoft February 2024 Patch Tuesday fixes 2 zerodays 73 flawsppNew Gold Pickaxe Android iOS malware steals your face for fraudppMicrosoft New critical Exchange bug exploited as zerodayppLockBit claims ransomware attack on Fulton County GeorgiappZoom patches critical privilege elevation flaw in Windows appsppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to open a Windows 11 Command Prompt as AdministratorppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppCloudflare disclosed today that its internal Atlassian server was breached by a suspected nation state attacker who accessed its Confluence wiki Jira bug database and Bitbucket source code management systemppThe threat actor first gained access to Cloudflares selfhosted Atlassian server on November 14 and then accessed the companys Confluence and Jira systems following a reconnaissance stageppThey then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira gained access to our source code management system which uses Atlassian Bitbucket and tried unsuccessfully to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo Brazil said Cloudflare CEO Matthew Prince CTO John GrahamCumming and CISO Grant BourzikasppTo access its systems the attackers used one access token and three service account credentials stolen during a previous compromise linked to Oktas breach from October 2023 that Cloudflare failed to rotate out of thousands were leaked during the Okta compromiseppCloudflare detected the malicious activity on November 23 severed the hackers access in the morning of November 24 and its cybersecurity forensics specialists began investigating the incident three days later on November 26ppWhile addressing the incident Cloudflares staff rotated all production credentials over 5000 unique ones physically segmented test and staging systems performed forensic triage on 4893 systems reimaged and rebooted all systems on the companys global network including all Atlassian servers Jira Confluence and Bitbucket and machines accessed by the attackerppThe threat actors also tried hacking into Cloudflares data center in São Paulowhich isnt yet used in productionbut these attempts failed All equipment in Cloudflares Brazil data center was later returned to the manufacturers to ensure that the data center was 100 secureppRemediation efforts ended almost one month ago on January 5th but the company says that its staff is still working on software hardening as well as credential and vulnerability managementppppThe company says that this breach did not impact Cloudflare customer data or systems its services global network systems or configuration were also unaffectedppEven though we understand the operational impact of the incident to be extremely limited we took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code said Prince GrahamCumming and BourzikasppBased on our collaboration with colleagues in the industry and government we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflares global networkppAnalyzing the wiki pages they accessed bug database issues and source code repositories it appears they were looking for information about the architecture security and management of our global network no doubt with an eye on gaining a deeper footholdppOn October 18 2023 Cloudflares Okta instance was breached using an authentication token stolen from Oktas support system The hackers who breached Oktas customer support system also gained access to files belonging to 134 customers including 1Password BeyondTrust and CloudflareppAfter the October 2023 incident the company said that its Security Incident Response Teams quick response contained and minimized the impact on Cloudflare systems and data and that no Cloudflare customer information or systems were impactedppAnother attempt to breach Cloudflares systems was blocked in August 2022 after attackers tried using employee credentials stolen in a phishing attack but failed because they didnt have access to the victims companyissued FIDO2compliant security keysppPrudential Financial breached in data theft cyberattackppFCC orders telecom carriers to report PII data breaches within 30 daysppGlobal fintech firm EquiLend offline after recent cyberattackppTrezor support site breach exposes personal data of 66000 customersppTeamViewer abused to breach networks in new ransomware attacksppI am just a small guy using cloudflare but three out of my six websites were hacked Since theres nobody to actually talk to at cloudflare I have taken them off their systemppIt is the onejoke that will one day cause a real desaster for the internet Users will in the end be totally dependent on dilletants who run the companies and cannot be reached when necessary
There needs to be a law that requires every website and internet corporation that can be used to get direct contact No one gives a s how much work that will be for the owners They are making millions or billions so let them employ workers to take care of this
The bad news of course is that politicians are even more incompetent than yourt average programmerppAllow me to introduce you to people you can talk to at CloudflareDid you even try to look And even better this is specifically the right people to talk to about your issuehttpswwwcloudflarecomunderattackhotlinetextCyber20Emergency20Hotline3A202B1208662D3252D4810textCloudflare20can20protect20you20againstApplication2C20Workforce20and20Infrastructure20AttacksppAgreed but hopefully things will get better with things like the recent US SEC policy which forces any public company to report any breach to a public forum within xdays As per recent MS and HPE bs ppNot a member yet Register NowppHackers used new Windows Defender zeroday to drop DarkMe malwareppMicrosoft February 2024 Patch Tuesday fixes 2 zerodays 73 flawsppMalwarebytes AntiMalwareppWindows Repair All In OneppMcAfee Consumer Products Removal toolppAdwCleanerppEverything Desktop SearchppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2024 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp