Cloudflare detected a threat actor on its self-hosted Atlassian server during Thanksgiving 2023 and began an investigation, later engaging CrowdStrike for forensic analysis. The incident involved stolen credentials from an Okta compromise used to access Jira/Confluence/Bitbucket, but with no customer data or systems affected; Cloudflare undertook a broad credential rotation and hardening effort to prevent future access.
#Okta #Sliver #ScriptRunner #Jira #Confluence #Bitbucket #Atlassian
#Okta #Sliver #ScriptRunner #Jira #Confluence #Bitbucket #Atlassian
Keypoints
- Threat actor accessed Cloudflare’s Atlassian environment (Confluence, Jira, Bitbucket) using stolen credentials tied to an Okta compromise.
- No Cloudflare customer data or global network systems were affected thanks to access controls, firewall rules, and Zero Trust protections.
- The attacker conducted reconnaissance, then gained persistent access via Atlassian tools, including ScriptRunner for Jira.
- A new Atlassian user account was created by the attacker to maintain ongoing access.
- Sliver adversary framework was installed to enable command-and-control and persistent access, facilitated by ScriptRunner for Jira.
- Cloudflare undertook an extensive remediation effort (Code Red), including credential rotation (>5,000 credentials), system reimages, and credential hardening across the environment.
- CrowdStrike independently validated the investigation and helped confirm the scope of access and remediation.
MITRE Techniques
- [T1078] Valid Accounts – Access to Atlassian Jira/Confluence/Bitbucket using stolen credentials. Quote: “The attack started in October with the compromise of Okta, but the threat actor only began targeting our systems using those credentials from the Okta compromise in mid-November.”
- [T1136] Create Account – Attacker created an Atlassian user account to maintain persistent access. Quote: “The threat actor used the Smartsheet service account to gain access to the Atlassian suite. The threat actor created an Atlassian user account that looked like a normal Cloudflare user.”
- [T1059] Command and Scripting Interpreter – Sliver was installed and used via the ScriptRunner for Jira plugin to enable C2/persistence. Quote: “Sliver was installed using the ScriptRunner for Jira plugin.”
- [T1021] Lateral Movement – Attempted to move laterally to a non-production console server in the São Paulo data center. Quote: “With this access the Threat Actor attempted to gain access to a non-production console server in our São Paulo, Brazil data center.”
- [T1041] Exfiltration – Significant code repositories were accessed/downloaded; treated as exfiltrated. Quote: “the threat actor viewed 120 code repositories… 76 source code repositories were downloaded to the Atlassian server, and even though we were not able to confirm whether or not they had been exfiltrated, we decided to treat them as having been exfiltrated.”
Indicators of Compromise
- [IPv4] 193.142.58[.]126 – Primary threat actor infrastructure, owned by M247 Europe SRL (Bucharest, Romania)
- [IPv4] 198.244.174[.]214 – Sliver C2 server, owned by OVH SAS (London, England)
- [Domain] idowall[.]com – Infrastructure serving Sliver payload
- [Filename] jvm-agent – bdd1a085d651082ad567b03e5186d1d4, 6d822bb7794157ab8cce95d850a3caaf – Sliver payload
Read more: https://blog.cloudflare.com/thanksgiving-2023-security-incident