Cloudflare泄露：国家级黑客入侵并获取源代码和内部文档

Cloudflare has revealed that it was the target of a likely nation-state attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.

Cloudflare透露，它成为一次可能是国家级攻击的目标，攻击者利用窃取的凭据未经授权地访问其Atlassian服务器，并最终获得了一些文档和有限数量的源代码。

The intrusion, which took place between November 14 and 24, 2023, and detected on November 23, was carried out "with the goal of obtaining persistent and widespread access to Cloudflare's global network," the web infrastructure company said, describing the actor as "sophisticated" and one who "operated in a thoughtful and methodical manner."

这次入侵发生在2023年11月14日至24日之间，于11月23日被发现，"其目标是获得对Cloudflare全球网络的持久和广泛的访问权限"，这家网络基础设施公司在博文中说道，将攻击者描述为"复杂"和"深思熟虑的"。

As a precautionary measure, the company further said it rotated more than 5,000 production credentials, physically segmented test and staging systems, carried out forensic triages on 4,893 systems, reimaged and rebooted every machine across its global network.

作为一项预防措施，该公司进一步表示，它轮换了超过5,000个生产凭据，对测试和分期系统进行了物理分段，对4,893个系统进行了法医检查，并重新映像和重启了其全球网络中的每台机器。

The incident involved a four-day reconnaissance period to access Atlassian Confluence and Jira portals, following which the adversary created a rogue Atlassian user account and established persistent access to its Atlassian server to ultimately obtain access to the Bitbucket source code management system by means of the Sliver adversary simulation framework.

此次事件涉及了为期四天的侦察期，以访问Atlassian Confluence和Jira门户，随后对手创建了一个恶意的Atlassian用户帐户，并建立了对其Atlassian服务器的持久访问权限，最终通过Sliver对手模拟框架的手段获得了对Bitbucket源代码管理系统的访问权限。

As many as 120 code repositories were viewed, out of which 76 are estimated to have been exfiltrated by the attacker.

攻击者查看了多达120个代码存储库，其中估计有76个被攻击者窃取。

"The 76 source code repositories were almost all related to how backups work, how the global network is configured and managed, how identity works at Cloudflare, remote access, and our use of Terraform and Kubernetes," Cloudflare said.

"这76个源代码存储库几乎都与备份工作方式、全球网络配置和管理方式、Cloudflare的身份验证方式、远程访问以及我们对Terraform和Kubernetes的使用有关"，Cloudflare表示。

"A small number of the repositories contained encrypted secrets which were rotated immediately even though they were strongly encrypted themselves."

"其中少数几个存储库包含了被强加密的秘密，即使它们本身已经被强加密，也立即进行了轮换"。

The threat actor is then said to have unsuccessfully attempted to "access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil."

据称，攻击者随后未能"访问一台控制台服务器，该服务器可以访问Cloudflare尚未投入使用的巴西圣保罗数据中心"。

The attack was made possible by using one access token and three service account credentials associated with Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet that were stolen following the October 2023 hack of Okta's support case management system.

此次攻击是通过使用与亚马逊网络服务（AWS）、Atlassian Bitbucket、Moveworks和Smartsheet相关联的一个访问令牌和三个服务帐户凭据实施的，这些凭据是在窃取Okta支持案例管理系统的攻击事件（2023年10月）之后窃取的。

Cloudflare acknowledged that it had failed to rotate these credentials, mistakenly assuming they were unused.

Cloudflare承认没有轮换这些凭据，错误地认为它们没有被使用。

The company also said it took steps to terminate all malicious connections originating from the threat actor on November 24, 2023. It also involved cybersecurity firm CrowdStrike to perform an independent assessment of the incident.

该公司还表示，它采取了措施在2023年11月24日终止了所有来自攻击者的恶意连接。它还聘请了网络安全公司CrowdStrike对此事件进行独立评估。

"The only production systems the threat actor could access using the stolen credentials was our Atlassian environment. Analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears they were looking for information about the architecture, security, and management of our global network," Cloudflare said.

"攻击者只能使用窃取的凭据访问我们的Atlassian环境。通过分析他们访问的wiki页面、错误数据库问题和源代码存储库，我们看出他们正在寻找有关我们全球网络的架构、安全性和管理的信息"，Cloudflare说道。

原文始发于微信公众号（知机安全）：Cloudflare泄露：国家级黑客入侵并获取源代码和内部文档