This is a story of a hack that begins in the multi-cloud world – particularly with respect to how authentication in the cloud today is facilitated by the use of tokens. And that in itself is an interesting and valuable investigation. But thanks to the transparency of Cloudflare, there’s much more to be learned by the rest of the story that details how attackers can leverage a chain of vulnerabilities to burrow into a target’s network but be ultimately blocked, thanks to an organization’s vigilance and prior assumption of compromise. This story is both a cautionary tale but also one with a comparatively happy ending along the lines of the Apollo 13 “successful failure”.
In this real training for free event, I will begin by reviewing the ubiquitous authentication constructs used to link clouds together:
- OpenID Connect
- Auth 2.0.
- JSON Web Tokens (JWTs)
Cloud authentication and authorization is a multi-party volley of token passing between clients, relying parties, providers and I’ll explain the difference between:
- ID tokens
- Refresh tokens
- Access tokens
Then we will pivot from that background to the latest Cloudflare/Okta incident. Cloudflare is an Okta customer, and the story begins with a token stolen from Okta’s customer support system – from within files uploaded by a Cloudflare employee apparently pursuing a support case with Okta. The fact that these tokens are “bearer” tokens is the first important lesson. You may eliminate passwords with OpenID Connect and Auth 2.0 but now you have to be very careful with tokens.
After that I’ll take you through the rest of what we know about how the attacker was able to access Cloudflare’s Atlassian environment in a complex attack chain that involves multiple MITRE ATT&CK tactics, including:
- Reconnaissance
- Initial Access
- Execution
- Persistence
- Credential Access
- Lateral Movement
- Collection
- Exfiltration
Cloudflare is courageous in how much information they shared – including their mistakes - but that courage serves to build confidence and protect their credibility. As you will see, the attackers got in – but they only got so far. And I’ll finish up by discussing the important role zero trust architecture and the hard authentication tokens (not to be confused with the web tokens above) played in limiting the scope and damage to Cloudflare. It’s important to note that Cloudflare reports no customer information was compromised in this attack.
LogRhythm is my sponsor for this real training for free session and their threat research team actually suggested this topic. Many of you will remember awesome sessions in the past where Brian Coulson, Senior Threat Research Engineer at LogRhythm, joined me and this time, he will be joined by Sally Vincent, Senior Threat Research Engineer at LogRhythm. They will pick up where I left off by showing you how LogRhythm Axon, a cloud-native SIEM platform, can help you identify and threat hunt in a compromised environment and giving takeaway advice to avoid similar breaches in your own organization.
Please join us for this real training for free session.