Among the many stolen credentials was a Moveworks service token that granted distant entry to Atlassian programs. Different compromises included a Smartsheet account with administrative entry to the Atlassian Jira occasion, a Bitbucket service account with entry to the Cloudflare supply code administration system, and an AWS setting with “no entry to the worldwide community and no buyer or delicate information.”
“From November 14 to 17, the risk actor did reconnaissance after which accessed our inside wiki (which makes use of Atlassian Confluence) and our bug database (Atlassian Jira),” Cloudflare added. “They then returned on November 22 and established persistent entry to our Atlassian server utilizing ScriptRunner for Jira, gained entry to our supply code administration system (which makes use of Atlassian Bitbucket), and tried, unsuccessfully, to entry a console server that had entry to the information heart that Cloudflare had not but put into manufacturing in São Paulo, Brazil.”
The corporate added that the incident was by no means an error on the a part of Atlassian, AWS, Moveworks, or Smartsheet, and occurred as a result of it didn’t rotate the stolen credentials assuming they had been unused.
Cloudflare mentioned it was in a position to fully include and take away the an infection owing to its adoption of a zero-trust structure.
“Due to our entry controls, firewall guidelines, and use of onerous safety keys enforced utilizing our personal Zero Belief instruments, the risk actor’s capacity to maneuver laterally was restricted,” the corporate mentioned. “No companies had been implicated, and no adjustments had been made to our international community programs or configuration.”
Acknowledging the assault’s intention for establishing persistence and fearing neglected persistence, Cloudflare resorted to a complete remediation strategy with further proactive steps for future assaults.
