Cloudflare-Atlassian Breach

On Thanksgiving Day, November 23, 2023, Cloudflare’s Atlassian systems were also compromised by a nation-state attack.

1. This breach, which started on November 15th, 2023, was made possible through the use of compromised credentials that had not been changed following a previous breach at Okta in October 2023. 
2. Attackers accessed Cloudflare’s internal wiki and bug database, enabling them to view 120 code repositories in Cloudflare’s Atlassian instance.
3. 76 source code repositories related to key operational technologies were potentially exfiltrated.
4. Cloudflare detected the threat actor on November 23 because the threat actor connected a Smartsheet service account to an admin group in Atlassian.

Threat Actors Increasingly Target SaaS

These breaches are part of a broader pattern of nation-state actors targeting SaaS service providers, including but not limited to espionage and intelligence gathering. Midnight Blizzard previously engaged in significant cyber operations including the 2021 SolarWinds attack. 

These incidents underscore the importance of continuous monitoring of your SaaS environments and the ongoing risk posed by sophisticated cyber adversaries targeting critical infrastructure and operational tech stack. They also highlight significant vulnerabilities related to SaaS identity management and the necessity for stringent 3rd-party app risk management practices.

Attackers use common tactics, techniques and procedures (TTPs) to breach SaaS providers through the following kill chain:

1. Initial access: Password spray, hijacking OAuth
2. Persistence: Impersonates admin, creates extra OAuth
3. Defense Evasion: Highly privileged OAuth, no MFA
4. Lateral Movement: Broader compromise of connected apps
5. Data Exfiltration: Grab privileged and sensitive data out of apps

Breaking the SaaS Kill Chain

One effective way to break the kill chain early is with continuous monitoring, granular policy enforcement, and proactive lifecycle management over your SaaS environments. A SaaS Security Posture Management (SSPM) platform like AppOmni can help with detecting and alerting on:

• Initial Access: Out-of-the-box rules to detect credential compromise including password spraying, brute force attacks and unenforced MFA policies
• Persistence: Scan and identify OAuth permissions and detect OAuth hijacking
• Defense Evasion: Access policy checks, detect if a new identity provider (IdP) is created, detect permission changes
• Lateral Movement: Monitor logins and privileged access, detect toxic combinations, and understand blast radius of a potentially compromised account