Cloudflare disclosed on 1 Feb that its internal Atlassian server was breached by a suspected ’nation state attacker’ who accessed its Confluence wiki, Jira bug database, and Bitbucket source code management system.
The threat actor first gained access to Cloudflare’s self-hosted Atlassian server on November 14 and then accessed the company’s Confluence and Jira systems following a reconnaissance stage.
“They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil,
To access its systems, the attackers used one access token and three service account credentials stolen during a previous compromise linked to Okta’s breach from October 2023 that Cloudflare failed to rotate (out of thousands were leaked during the Okta compromise).
Remediation efforts ended almost one month ago, on January 5th, but the company says that its staff is still working on software hardening, as well as credential and vulnerability management.