Cloudflare Hacked By Suspected State-Sponsored Threat Actor

wiredmikey writes: Web security and CDN giant Cloudflare said it was hacked by a threat actor using stolen credentials to access internal systems, code repositories, along with an AWS environment, as well as Atlassian Jira and Confluence. The goal of the attack, Cloudflare says, was to obtain information on the company's infrastructure, likely to gain a deeper foothold.

According to Cloudflare, more than 5,000 individual production credentials were rotated following the incident, close to 5,000 systems were triaged, test and staging systems were physically segmented, and every machine within the Cloudflare global network was reimaged and rebooted.

Wow...

[Anonymous Coward]

"Hacked by Suspected State-Sponsored Threat Actor"

Does this actor get an Oscar or a Grammy?

Re:

[Z00L00K]

They'll get a Medal of the Order "For Merit to the Fatherland" 1st Class.

Success story?

[schneidafunk]

Maybe someone smarter than me can explain how they could have done better. Getting hacked is pretty much a "when" not "if" scenario, and it appears they had somewhat effective security playbooks limiting the attack. If they were aware of the OKTA attack, then there may have been an opportunity to reset any compromised tokens & passwords, but otherwise, it looks like their response was normal.

Re:Success story?

[sweintraub]

"The stolen login information, an access token and three service account credentials, were not rotated following the Okta incident"

Re:

[beheaderaswp]

Well the biggest problem at this point is lack of diversification. If millions of IT operations are going to use Cloudflare that's where all the attacks will be.

Extrapolate, consider, and come to your own conclusion.

What did you expect from Cloudflare?

[Somervillain]

Maybe someone smarter than me can explain how they could have done better. Getting hacked is pretty much a "when" not "if" scenario, and it appears they had somewhat effective security playbooks limiting the attack. If they were aware of the OKTA attack, then there may have been an opportunity to reset any compromised tokens & passwords, but otherwise, it looks like their response was normal.

Reasonable question: you can never prevent all attacks, but CloudFlare has a long history of having security as an afterthought and if you've ever dealt with them, you'd not be surprised that reckless and bad things happen. Their reputation is not very great and news articles like this reinforce that.

Out of date messages...

[dargaud]

Is that why for the past week or so I keep getting those useless messages in the current latest Firefox ?

Your browser is out of date! Update your browser to view this website correctly. More Information.

And that's for any sites that use Cloudflare. Just changing the user agent to anything else (or back) and refreshing will give me the wanted page, but it's a PITA.

Re:

[smooth wombat]

On one particular web site this week I received the message Cloudflare was running some type of security check to verify me. Which is completely bonkers since it's a public site I use on a daily basis and doesn't require any type of account to use.

It never did clear on the day I wanted to use the site, but was no longer present the next day and thereafter.

Re:

[Anonymous Coward]

On one particular web site this week I received the message Cloudflare was running some type of security check to verify me. Which is completely bonkers since it's a public site I use on a daily basis and doesn't require any type of account to use.

All connections entering the cloudflare network are checked against a trust score ranking, and handled with different limitations for negative scores.
It happens on the tcp/udp level.

It took them a couple days to restore the old scoring data.
Now you know what the experience is for people in IP blocks never seen by them before and ranked as an "unknown"

Re:

[awfgakgn]

Coudflare [sic] sells a zero trust security solution. Do they not even use it themselves?

Yep. if you'd actually read the article, you would've seen this paragraph: “Throughout this timeline, the threat actor tried to access a myriad of other systems at Cloudflare but failed because of our access controls, firewall rules, and use of hard security keys enforced using our own Zero Trust tools.”

Re:

[jddimarco]

From the article: “Throughout this timeline, the threat actor tried to access a myriad of other systems at Cloudflare but failed because of our access controls, firewall rules, and use of hard security keys enforced using our own Zero Trust tools,” the company says.

Re:

[ZipNada]

But clearly they did view "120 code repositories and downloaded 76 of them".

"The attackers used a Smartsheet service account to access Cloudflare’s Atlassian suite"

Re: Zero trust

[jerrylucky]

I love people who take the time to copy and paste specifics they half read while arguing about what happens in an article they donâ(TM)t bother to read. This is where you should tell your brain to calm down and realize you donâ(TM)t have to comment or have an opinion all the time. Especially if you havenâ(TM)t even read anything youâ(TM)re having an opinion on.

Re:

[ZipNada]

The attackers viewed "120 code repositories and downloaded 76 of them". Did you read that part?

Reimaged and Rebooted

[bill_mcgonigle]

What are people doing with UEFI rootkit infections? Reimage and reboot doesn't cut it.

I don't see why CloudFlare sent its Sao Paulo equipment back to the vendor.

Maybe that's why Merck tried to get its insurer to pay $1.4B to replace 40,000 devices?

Cloudflare the Solar Winds of TJ Maxx

[Virtucon]

Seriously, you're supposed to be "experts" at Web Security. Watch all the customers disappear faster than a Zeigried and Roy Tiger.