therecord.media
Open in
urlscan Pro
2606:4700:4400::ac40:9b4b
Public Scan
URL:
https://therecord.media/nation-state-actor-used-stolen-okta-credentials-to-target-cloudflare
Submission: On February 02 via api from TR — Scanned from DE
Submission: On February 02 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form><span class="text-black text-sm icon-search"></span><input type="text" name="s" placeholder="Search…" value=""><button type="submit">Go</button></form>Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. Accept * Leadership * Cybercrime * Nation-state * Elections * Technology * Cyber Daily® * Click Here Podcast Go Subscribe to The Record ✉️ Free Newsletter Jonathan Greig February 1st, 2024 * Cybercrime News * Industry News * News * Technology News * Nation-state News * * * * * Get more insights with the Recorded Future Intelligence Cloud. Learn more. NATION-STATE ACTOR USED STOLEN OKTA CREDENTIALS IN THANKSGIVING ATTACK, CLOUDFLARE SAYS Senior executives at networking giant Cloudflare said a suspected nation-state attacker used credentials stolen from Okta to breach the company’s systems in late November. In a blog post Thursday afternoon, Cloudflare CEO Matthew Prince and others said the company detected on Thanksgiving Day a threat actor on its self-hosted Atlassian server. “Our security team immediately began an investigation, cut off the threat actor’s access, and on Sunday, November 26, we brought in CrowdStrike’s Forensic team to perform their own independent analysis,” Prince said. The CrowdStrike investigation, which was completed Wednesday, found that the threat actor did reconnaissance from November 14 to 17 and accessed several internal systems, including their internal wiki and their bug database. The hacker came back on November 20 and 21, gaining access to Cloudflare’s source code management system. The actor attempted to access other systems using access tokens and service account credentials that were stolen during a widely-publicized October breach at Okta. All of the hacker’s access to Cloudflare systems was shut off on November 24. “Even though we understand the operational impact of the incident to be extremely limited, we took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code,” Prince wrote. “Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network.” According to Prince, the company began a wide-ranging effort to ensure the hackers did not have persistent access to any other systems. Cloudflare’s investigation, as well as Crowdstrike’s, revealed that the hacker behind the incident was likely “looking for information about the architecture, security, and management” of Cloudflare’s global network. Cloudflare rotated every production credential — about 5,000 of them — and physically segmented test and staging systems in an effort to “prevent the attacker from using the technical information about the operations of” their network as a way to get back in. The company also replaced hardware used in a data center in São Paulo that the hacker tried to get into. “This was a security incident involving a sophisticated actor, likely a nation-state, who operated in a thoughtful and methodical manner. The efforts we have taken to ensure that the ongoing impact of the incident was limited and that we are well-prepared to fend off any sophisticated attacks in the future,” Prince added. The incident revived stiff criticism Cloudflare had of Okta about its October incident, where hackers “gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers.” In addition to Cloudflare, security companies like 1Password and BeyondTrust were affected. Okta is a major single sign-on provider that allows people to use one account to log into multiple digital services. Despite being told by multiple cybersecurity company customers that there was an issue, Okta waited weeks before addressing the incident. After the attack was uncovered, Cloudflare said Okta needed to “take any report of compromise seriously and act immediately to limit damage.” Cloudflare slammed Okta for allowing the hacker to stay in its systems from October 2 to October 17 despite being notified by BeyondTrust. Cloudflare also called for “timely, responsible disclosures” to customers after breaches are identified. At the time, Cloudflare published its own blog notifying customers that hackers tried to attack their system on October 18 using an authentication token compromised at Okta. An investigation found that no Cloudflare customer information or systems were impacted. “This is the second time Cloudflare has been impacted by a breach of Okta’s systems. In March 2022, we blogged about our investigation on how a breach of Okta affected Cloudflare. In that incident, we concluded that there was no access from the threat actor to any of our systems or data – Cloudflare’s use of hard keys for multi-factor authentication stopped this attack,” Cloudflare said last October. Okta eventually defended the delay in its discovery, attributing it to mistakes made in identifying the hacker’s activities. * * * * * Tags * okta * Cloudflare * Data breach Previous articleNext article FritzFrog botnet is exploiting Log4Shell bug now, experts say FTC settles with Blackbaud over poor data practices leading to massive hack Jonathan Greig Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic. BRIEFS * US announces another arrest in BTC-e cybercrime caseFebruary 1st, 2024 * Interpol arrests more than 30 cybercriminals in global ‘Synergia’ operationFebruary 1st, 2024 * India-linked hackers target Pakistan with spyware in new campaignFebruary 1st, 2024 * $112 million stolen from founder of Ripple cryptocurrency platformJanuary 31st, 2024 * German police seize $2.1 billion in crypto from pirated movie website operatorsJanuary 31st, 2024 * Biden threatens veto against Senate attempt to repeal SEC cyber incident reporting ruleJanuary 31st, 2024 * Tech industry issues warning as UK moves forward with controversial security lawJanuary 31st, 2024 * Georgia’s largest county confirms cyberattack causing widespread issuesJanuary 30th, 2024 * Schneider Electric confirms ransomware attack on sustainability divisionJanuary 30th, 2024 LEAKS AND REVELATIONS: A WEB OF IRGC NETWORKS AND CYBER COMPANIES Leaks and Revelations: A Web of IRGC Networks and Cyber Companies FLYING UNDER THE RADAR: ABUSING GITHUB FOR MALICIOUS INFRASTRUCTURE Flying Under the Radar: Abusing GitHub for Malicious Infrastructure 2023 ADVERSARY INFRASTRUCTURE REPORT 2023 Adversary Infrastructure Report ANNUAL PAYMENT FRAUD INTELLIGENCE REPORT: 2023 Annual Payment Fraud Intelligence Report: 2023 AGGRESSIVE MALIGN INFLUENCE THREATENS TO SHAPE US 2024 ELECTIONS Aggressive Malign Influence Threatens to Shape US 2024 Elections * * * * * Privacy * About * Contact Us © Copyright 2024 | The Record from Recorded Future News