Yes, they aren’t perfect. They do some things that I disagree with.

But overall they prove themselves worthy of my trust, specifically because of the engineering mindset that the company shares, and how serious they take things like this.

Thank you for the blog post!

For a nation state actor, the easiest way to accomplish that is to send one of their loyal citizens to become an employee of the target company and then have the person send back "information about the architecture, security, and management" of the target company.

Fun (but possibly apocryphal) fact: more than a decade ago in a social gathering of SREs at Google, several admitted to being on the payroll of some national intelligence bureaus.

I'm curious if they're rethinking being on Okta.

Eh? So why weren't they revoked entirely? I'm sure something's just unsaid there, or lost in communication or something, but as written that doesn't really make sense to me?

> The threat actor also attempted to access a console server in our new, and not yet in production, data center in São Paulo. All attempts to gain access were unsuccessful. To ensure these systems are 100% secure, equipment in the Brazil data center was returned to the manufacturers. The manufacturers’ forensic teams examined all of our systems to ensure that no access or persistence was gained. Nothing was found, but we replaced the hardware anyway.

They didn't have to go this far. It would have been really easy not to. But they did and I think that's worthy of kudos.

In Atlassian's Confluence even the built-in Apache Lucene search engine can leak sensitive information and this kind of access (to the info by the attacker) can be very hard to track/identify. They don't have to open a Confluence page if the sensitive information is already shown on the search results page.

This odd to me - unused credentials should probably be deleted, not rotated.

But I think they should have put honeypots on them, and then waited to see what attackers did. Honeypots discourage the attackers from continuing for fear of being discovered too.

Am I missing something here?

There’s no machine cert used? AuthN tokens aren’t cryptographically bound?

This doesn’t meet my definition of ZT, it seems more like “we don’t have a VPN”

It also highlights the need for a faster move in the entire industry away from long-lived service account credentials (access tokens) and toward federated workload identity systems like OpenId connect in the software supply chain.

These tokens too often provide elevated privileges in devops tools while bypassing MFA, and in many cases are rotated yearly. Github [1], Gitlab, and AZDO now support OIDC, so update your service connections now!

Note: I’m not familiar with this incident and don’t know whether that is precisely what happened here or if OIdC would have prevented the attack.

Devsecops and Zero Trust are often-abused buzzwords, but the principles are mature and can significantly reduce blast radius.

[1] https://docs.github.com/en/actions/deployment/security-harde...

The very nature of Jira and Confluence (both terrible products, btw) is to collect documentation. I'm assuming it was an internal Jira/Confluence for engineering teams, but still. There have got to be addresses, passwords, service account info, all kinds of info. If it was a tech support server then it's impossible to assert that you didn't lose customer data.

So we have this double standard where you pay for this product that is designed to house your deepest secrets and most cherished organizational information, that's so important to you that you run on premises servers to keep it safe, but it's not important enough to constitute a real "beach".

You're lying. Either the server contained junk of no value in which case it wouldn't have existed in the first place, or you actually did lose something of value that you won't identify to us. Nobody sets up on-prem Jira just to leave it empty and never put secrets in it.

Viewing the HTML shows it's got an empty body tag, and a single script in the <head> with a URL of https://static.cloudflareinsights.com/beacon.min.js/v84a3a40...

The thoroughness is pretty amazing

Whenever some shitty Australian telco gets owned, people are angry and call them incompetent and idiots; it's nice to see Cloudflare gets owned in style with much more class and expertise.

Like the rest of the HN crowd, this incident has only increased my trust in Cloudflare.

Okta hitting everywhere

This seems incredibly wasteful.

Replacing an entire datacenter is effectively tossing tens of millions of dollars of compute hardware.

Why didn't they start this effort BEFORE there was an incident?

> we undertook a comprehensive effort to rotate every production credential (more than 5,000 individual credentials

Bearer credentials should already be rotated on a regular basis. Why did they wait until an incident to do this?

> To ensure these systems are 100% secure

Nothing is 100% secure. Not being to see and acknowledge that is a huge red flag.

> Nothing was found, but we replaced the hardware anyway.

Well that is just plain stupid and wasteful.

> We also looked for software packages that hadn’t been updated

Why weren't you looking for that prior to the incident?

> we were (for the second time) the victim of a compromise of Okta’s systems which resulted in a threat actor gaining access to a set of credentials.

And yet they continue using Okta. The jokes just write themselves.

> The one service token and three accounts were not rotated because mistakenly it was believed they were unused.

Wait, wait, wait. You KNEW the accounts with remote access to your systems were UNUSED and yet they continue to be active? Hahahahaha.

> The wiki searches and pages accessed suggest the threat actor was very interested in all aspects of access to our systems: password resets, remote access, configuration, our use of Salt, but they did not target customer data or customer configurations.

Totally makes sense, I'm sure the attacker was just a connoisseur of credentials and definitely did not want them to target customer data.

Since they didn’t really have reason to believe my data was accessed, maybe that’s ok. I know from firsthand experience how hard rotating all your credentials across the whole org is.

Blog: The threat actor (TA) accessed Okta’s customer support system and viewed files uploaded by Cloudflare (CF) as support cases.

Why was the session token part of the support files uploaded to Okta support? Does Okta require it for troubleshooting?

TA hijacked a session token of a CF employee from a support ticket.

Blog: Using the token extracted from Okta, the TA accessed Cloudflare’s Okta and compromised two separate Cloudflare employee accounts within the Okta platform.

How did this happen? Was the stolen token privileged? Also, why only 2 employee accounts? Were these different employees, or was one the same one whose token was compromised? What does Okta employee account compromise mean - did TA reset the password and MFA, and how or was there no MFA?

Blog: TA used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code.

Did the stolen employee credentials only have access to Atlassian?

Blog: TA gained access to a set of credentials

Does this mean multiple credentials got uploaded to the Okta support system?

Blog: The Okta compromise was in October, but the threat actor only began targeting CF systems using stolen credentials from the Okta compromise in mid-November.

Does this mean the compromised token was long-lived?

Blog: We failed to rotate one service token and three service accounts (out of thousands) of credentials that were leaked during the Okta compromise.

I didn’t get this. Does this mean that over time, CF employees had uploaded support info for 1000s of apps managed by Okta? Which credentials did CF rotate initially after the Okta compromise?

Leaked Credentials: 1. Moveworks service token that granted remote access into our Atlassian system.

Is this service token a bearer token? And without expiry. Is this like an API key?

TA accessed Atlassian Jira and Confluence using the Moveworks service token to authenticate through the gateway.

2. A service account used by the SaaS-based Smartsheet application that had administrative access to our Atlassian Jira instance,

So here, the Smartsheet Saas was given access to the on-prem Atlassian Jira instance? What kind of trust is it? Is this as well managed through Okta? And how does support case filing include a service account? Here, does the Service account mean again some kind of hardcoded API key without expiry

TA used the Smartsheet service account to gain access to the Atlassian suite. They used Smartsheet credentials to create an Atlassian account that looked like a normal Cloudflare user. They added this user to a number of groups within Atlassian so that they’d have persistent access to the Atlassian environment.

Since the Smartsheet service account had administrative access to Atlassian Jira, the TA was able to install the Sliver Adversary Emulation Framework, which is a widely used tool and framework that red teams and attackers use to enable “C2” (command and control), connectivity gaining persistent and stealthy access to a computer on which it is installed. Sliver was installed using the ScriptRunner for the Jira plugin. This allowed them continuous access to the Atlassian server, and they used this to attempt lateral movement. With this access, the Threat Actor attempted to gain access to a non-production console server in our São Paulo, Brazil data center due to a non-enforced ACL. The access was denied, and they could not access any global networks.

3. A Bitbucket service account, which was used to access our source code management system

4. AWS environment that had no access to the global network and no customer or sensitive data.

Were these AWS access keys? Also, it looks like these keys did provide access to the AWS account. That means the access key didn’t require MFA.

The only production system the TA could access using the stolen credentials was our Atlassian environment.

Mitigations:

Blog: We decided a huge effort was needed to further harden our security protocols to prevent the threat actor from being able to get that foothold had we overlooked something from our log files.

What does hardening security protocol mean here? Is it techniques for D&R or something else

Blog: We undertook a comprehensive effort to rotate every production credential (more than 5,000 individual credentials)

I believe this means forced resets on employees (Okta users), right?

> Over the next day, the threat actor viewed 120 code repositories (out of a total of 11,904 repositories

> They accessed 36 Jira tickets (out of a total of 2,059,357 tickets) and 202 wiki pages (out of a total of 14,099 pages).

Is it just me or 12K git repos and 2 million JIRA tickets sound like a crazy lot. 15K wiki pages is not that high though.

> Since the Smartsheet service account had administrative access to Atlassian Jira, the threat actor was able to install the Sliver Adversary Emulation Framework, which is a widely used tool and framework that red teams and attackers use to enable “C2” (command and control), connectivity gaining persistent and stealthy access to a computer on which it is installed. Sliver was installed using the ScriptRunner for Jira plugin.

> This allowed them continuous access to the Atlassian server, and they used this to attempt lateral movement. With this access the Threat Actor attempted to gain access to a non-production console server in our São Paulo, Brazil data center due to a non-enforced ACL.

Ouch. Full access to a server OS is always scary.