Thanksgiving 2023 security incident

Thanksgiving 2023 security incident

Authors: Matthew Prince, John Graham-Cumming, Grant Bourzikas

Overview

On November 23, 2023, Cloudflare’s security team identified an unauthorized actor on their self-hosted Atlassian server. The company immediately launched an investigation, terminated the threat actor’s access, and engaged CrowdStrike for independent forensic analysis. Cloudflare emphasized that “no Cloudflare customer data or systems were impacted by this event.”

Initial Compromise and Access Pattern

The breach originated from credentials compromised during an October 2023 Okta security incident. Cloudflare failed to rotate one Moveworks service token and three service accounts from that earlier breach. The threat actor began reconnaissance on November 14, gaining access to Atlassian Jira and Confluence on November 15.

The attacker searched the wiki for terms including “remote access,” “secret,” and “token,” accessing 36 Jira tickets and 202 wiki pages while seeking information about network configuration and access controls.

Escalation and Persistence

On November 16, the threat actor created a fake Atlassian user account to maintain access. By November 22, they installed the Sliver Adversary Emulation Framework for command-and-control connectivity, enabling persistent system access.

The attacker downloaded 76 source code repositories related to backup systems, network configuration, identity management, remote access, Terraform, and Kubernetes. While unable to confirm exfiltration, Cloudflare treated them as compromised.

Detection and Response

Cloudflare’s security team detected suspicious activity at 16:00 on November 23 and deactivated the Smartsheet service account within 35 minutes. The threat actor’s user account was disabled 48 minutes later. All threat actor access terminated by November 24.

Remediation Efforts (“Code Red”)

Beginning November 27, Cloudflare launched a comprehensive “Code Red” operation involving significant technical staff:

  • Rotated over 5,000 production credentials
  • Performed forensic analysis on 4,893 systems
  • Reimaged and rebooted every machine globally
  • Returned São Paulo data center equipment to manufacturers for forensic examination
  • Searched for embedded secrets, unused accounts, and potential persistence mechanisms

The immediate effort concluded January 5, with ongoing security improvements continuing.

Attack Timeline

October 18: Okta compromise resulted in credential theft

November 14-17: Reconnaissance and initial system access

November 15: Successful authentication to Atlassian services

November 16: Threat actor created user account for persistence

November 20-21: Access testing indicating potential return

November 22: Installation of Sliver framework and attempted lateral movement

November 23: Detection and access termination begins

November 24: Complete threat actor removal confirmed

Threat Actor Assessment

Cloudflare concluded the attack “was performed by a nation state attacker with the goal of obtaining persistent and widespread access” to their global network infrastructure.

Indicators of Compromise

IndicatorTypeDescription
193.142.58[.]126IPv4Primary threat actor infrastructure (M247 Europe SRL, Bucharest)
198.244.174[.]214IPv4Sliver C2 server (OVH SAS, London)
idowall[.]comDomainInfrastructure serving Sliver payload
jvm-agentFilenameSliver payload (SHA256: bdd1a085d651082ad567b03e5186d1d46d822bb7794157ab8cce95d850a3caaf)

Key Conclusions

The Zero Trust architecture limited lateral movement despite initial system compromise. No evidence emerged of access to the global network, data centers, SSL keys, customer databases, Cloudflare Workers, AI models, or data storage systems including Workers KV, R2, or Quicksilver. The threat actor’s access remained restricted to the Atlassian environment and its server.