Cloudflare reports cyberattack attempt on its network

Cloudflare disclosed an attempted cyberattack on its network, pinpointing the origin to a nation-state actor leveraging stolen access tokens and credentials from a prior breach of Okta in 2023. The attack took place in November 2023, aimed to establish "persistent and widespread access" to Cloudflare's extensive global network, which interconnected over 12,000 networks across more than 300 cities as of mid-June 2023.

Despite the attacker's efforts, Cloudflare assures its customers that no data or systems were compromised. The company attributes this security success to its stringent access controls, firewall rules, and the enforcement of zero-trust tools, which effectively limited the attacker's lateral movement within the network.

The reconnaissance phase of the attack involved accessing Cloudflare's internal wiki and bug database between November 14 and 17, with additional access detected on November 20 and 21. The attacker managed to obtain "persistent access" to Cloudflare's Atlassian server by November 22 and attempted to infiltrate a console server linked to a Cloudflare data center in Brazil that was not yet operational.

Cloudflare's response led to the removal of the threat actor from their systems by November 24. Following the incident, Cloudflare initiated "Code Red," a project aimed at delving deeper into the attack's mechanisms and bolstering defenses against future intrusion attempts. The company's investigation into the accessed wiki pages, bug database issues, and source code repositories suggested the attacker's interest lay in understanding Cloudflare's network architecture, security, and management, presumably to find a way to gain a more substantial foothold.

Cloudflare has committed to a comprehensive effort to enhance its security protocols further, ensuring that any potential vulnerabilities overlooked in their logs are addressed to prevent similar threats in the future.