Skip to content

Hackers target Cloudflare using auth tokens stolen in Okta breach

  • by
  • 3 min read

Leading internet security company, Cloudflare revealed details of a sophisticated cyber attack that targeted its self-hosted Atlassian server on Thanksgiving Day, November 2023. A nation-state actor supposedly carried out the attack using auth tokens in Okta breach to target Confluence, Jira and Bitbucket systems.

The company’s security team detected the threat actor, initiated an investigation, and severed their access. The security team finished their examination on January 31, 2024.

The incident, labelled ‘Code Red’, was traced back to the compromise of Okta in October 2023. The threat actor exploited stolen credentials taken during the Okta compromise to gain access to Cloudflare’s internal wiki (Atlassian Confluence) and bug database (Atlassian Jira). The attack unfolded over meticulously orchestrated steps, highlighting a nation-state actor’s involvement.

Crucially, no sensitive data or systems were compromised as the company had robust access controls, firewall rules, and zero trust tools. The Zero Trust architecture prevented lateral movement by the threat actor, confining the incident’s impact to a limited scope.

This is an image of okta featured 1
The Okta breach affected many companies including Cloudflare.

The threat actor stole a service token and three service account credentials from the Okta breach. He exploited ScriptRunner for Jira to gain entry into Cloudflare’s source code management system (Atlassian Bitbucket) and attempted to access a console server in Sao Paolo, Brazil.

The compromise was attributed to the failure to rotate credentials post-Okta compromise.

As per Cloudflare, the cybersecurity researchers found no evidence that suggested a compromise of the global network, SSL keys, customer databases, or other critical infrastructure. The threat actor’s access was contained within the Atlassian suite and the server it operated on.

“This was a security incident involving a sophisticated actor, likely a nation-state, who operated in a thoughtful and methodical manner. The efforts we have taken to ensure that the ongoing impact of the incident was limited and that we are well-prepared to fend off any sophisticated attacks in the future,” concluded Cloudflare’s researchers.

Okta breach affected many companies, including Cloudflare and 1Password.

“This is not a new incident or disclosure on the part of Okta. On October 19th, we notified customers, shared guidance to rotate credentials, and provided indicators of compromise (IoCs) related to the October security incident. We can’t comment on our customers’ security remediations,” an Okta spokesperson told Candid.Technology.

In the News: Google released a complex manual fix for the Pixel bug

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of data breach featured cybersecurity 113 e1666861228304

Sensitive information of over 5.5 million patients stolen from Yale Health

This is an image of data breach cyber security 239847238978

Lazarus threat actors breach six South Korean companies

This is an image of cyber security hacked breach

“Educational” toolkit for evading Microsoft Office 365 MFA being sold online

This is an image of dark web hacker security

Cybercriminals are using the Pope’s death to preach malware

This is an image of phishing featured storyblocks

North Korean IT workers are using deepfakes to get jobs

This is an image of cisco 3289sd

Cisco confirms several products affected by RCE flaw

>