Security News > 2024 > February > Cloudflare sheds more light on Thanksgiving security breach in which tokens, source code accessed by suspected spies

Cloudflare has just detailed how suspected government spies gained access to its internal Atlassian installation using credentials stolen via a security breach at Okta in October.

The October Okta security breach involved more than 130 customers of that IT access management biz, in which snoops swiped data from Okta in hope of drilling further into those organizations.

Cloudflare acknowledged in October it was caught up in Okta's latest security meltdown, and is now disclosing more details about what happened.

"The second credential was a service account used by the SaaS-based Smartsheet application that had administrative access to our Atlassian Jira instance, the third account was a Bitbucket service account which was used to access our source code management system, and the fourth was an AWS environment that had no access to the global network and no customer or sensitive data."

Having administrative access to Jira via the Smartsheet service, the snoops were able to install the Sliver Adversary Emulation Framework, a common tool for command-and-control connectivity and backdoor access.

"Even though we understand the operational impact of the incident to be extremely limited, we took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code," said Prince et al.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/02/02/cloudflare_okta_atlassian/