Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

5/16/2024 12:00:00 PM [(UTC-05:00) Eastern Time (US & Canada)] - Can't make the live event? Register anyway to receive a link to the recording.

Show/Hide All Time Zones

All Time Zones

Dateline Standard Time-(UTC-12:00) International Date Line West 5/16/2024 4:00:00 AM
UTC-11-(UTC-11:00) Coordinated Universal Time-11 5/16/2024 5:00:00 AM
Aleutian Standard Time-(UTC-10:00) Aleutian Islands 5/16/2024 7:00:00 AM
Hawaiian Standard Time-(UTC-10:00) Hawaii 5/16/2024 6:00:00 AM
Marquesas Standard Time-(UTC-09:30) Marquesas Islands 5/16/2024 6:30:00 AM
Alaskan Standard Time-(UTC-09:00) Alaska 5/16/2024 8:00:00 AM
UTC-09-(UTC-09:00) Coordinated Universal Time-09 5/16/2024 7:00:00 AM
Pacific Standard Time (Mexico)-(UTC-08:00) Baja California 5/16/2024 9:00:00 AM
UTC-08-(UTC-08:00) Coordinated Universal Time-08 5/16/2024 8:00:00 AM
Pacific Standard Time-(UTC-08:00) Pacific Time (US & Canada) 5/16/2024 9:00:00 AM
US Mountain Standard Time-(UTC-07:00) Arizona 5/16/2024 9:00:00 AM
Mountain Standard Time (Mexico)-(UTC-07:00) La Paz, Mazatlan 5/16/2024 9:00:00 AM
Mountain Standard Time-(UTC-07:00) Mountain Time (US & Canada) 5/16/2024 10:00:00 AM
Yukon Standard Time-(UTC-07:00) Yukon 5/16/2024 9:00:00 AM
Central America Standard Time-(UTC-06:00) Central America 5/16/2024 10:00:00 AM
Central Standard Time-(UTC-06:00) Central Time (US & Canada) 5/16/2024 11:00:00 AM
Easter Island Standard Time-(UTC-06:00) Easter Island 5/16/2024 10:00:00 AM
Central Standard Time (Mexico)-(UTC-06:00) Guadalajara, Mexico City, Monterrey 5/16/2024 10:00:00 AM
Canada Central Standard Time-(UTC-06:00) Saskatchewan 5/16/2024 10:00:00 AM
SA Pacific Standard Time-(UTC-05:00) Bogota, Lima, Quito, Rio Branco 5/16/2024 11:00:00 AM
Eastern Standard Time (Mexico)-(UTC-05:00) Chetumal 5/16/2024 11:00:00 AM
Eastern Standard Time-(UTC-05:00) Eastern Time (US & Canada) 5/16/2024 12:00:00 PM
Haiti Standard Time-(UTC-05:00) Haiti 5/16/2024 12:00:00 PM
Cuba Standard Time-(UTC-05:00) Havana 5/16/2024 12:00:00 PM
US Eastern Standard Time-(UTC-05:00) Indiana (East) 5/16/2024 12:00:00 PM
Turks And Caicos Standard Time-(UTC-05:00) Turks and Caicos 5/16/2024 12:00:00 PM
Paraguay Standard Time-(UTC-04:00) Asuncion 5/16/2024 12:00:00 PM
Atlantic Standard Time-(UTC-04:00) Atlantic Time (Canada) 5/16/2024 1:00:00 PM
Venezuela Standard Time-(UTC-04:00) Caracas 5/16/2024 12:00:00 PM
Central Brazilian Standard Time-(UTC-04:00) Cuiaba 5/16/2024 12:00:00 PM
SA Western Standard Time-(UTC-04:00) Georgetown, La Paz, Manaus, San Juan 5/16/2024 12:00:00 PM
Pacific SA Standard Time-(UTC-04:00) Santiago 5/16/2024 12:00:00 PM
Newfoundland Standard Time-(UTC-03:30) Newfoundland 5/16/2024 1:30:00 PM
Tocantins Standard Time-(UTC-03:00) Araguaina 5/16/2024 1:00:00 PM
E. South America Standard Time-(UTC-03:00) Brasilia 5/16/2024 1:00:00 PM
SA Eastern Standard Time-(UTC-03:00) Cayenne, Fortaleza 5/16/2024 1:00:00 PM
Argentina Standard Time-(UTC-03:00) City of Buenos Aires 5/16/2024 1:00:00 PM
Montevideo Standard Time-(UTC-03:00) Montevideo 5/16/2024 1:00:00 PM
Magallanes Standard Time-(UTC-03:00) Punta Arenas 5/16/2024 1:00:00 PM
Saint Pierre Standard Time-(UTC-03:00) Saint Pierre and Miquelon 5/16/2024 2:00:00 PM
Bahia Standard Time-(UTC-03:00) Salvador 5/16/2024 1:00:00 PM
UTC-02-(UTC-02:00) Coordinated Universal Time-02 5/16/2024 2:00:00 PM
Greenland Standard Time-(UTC-02:00) Greenland 5/16/2024 3:00:00 PM
Mid-Atlantic Standard Time-(UTC-02:00) Mid-Atlantic - Old 5/16/2024 3:00:00 PM
Azores Standard Time-(UTC-01:00) Azores 5/16/2024 4:00:00 PM
Cape Verde Standard Time-(UTC-01:00) Cabo Verde Is. 5/16/2024 3:00:00 PM
UTC-(UTC) Coordinated Universal Time 5/16/2024 4:00:00 PM
GMT Standard Time-(UTC+00:00) Dublin, Edinburgh, Lisbon, London 5/16/2024 5:00:00 PM
Greenwich Standard Time-(UTC+00:00) Monrovia, Reykjavik 5/16/2024 4:00:00 PM
Sao Tome Standard Time-(UTC+00:00) Sao Tome 5/16/2024 4:00:00 PM
Morocco Standard Time-(UTC+01:00) Casablanca 5/16/2024 5:00:00 PM
W. Europe Standard Time-(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna 5/16/2024 6:00:00 PM
Central Europe Standard Time-(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague 5/16/2024 6:00:00 PM
Romance Standard Time-(UTC+01:00) Brussels, Copenhagen, Madrid, Paris 5/16/2024 6:00:00 PM
Central European Standard Time-(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb 5/16/2024 6:00:00 PM
W. Central Africa Standard Time-(UTC+01:00) West Central Africa 5/16/2024 5:00:00 PM
GTB Standard Time-(UTC+02:00) Athens, Bucharest 5/16/2024 7:00:00 PM
Middle East Standard Time-(UTC+02:00) Beirut 5/16/2024 7:00:00 PM
Egypt Standard Time-(UTC+02:00) Cairo 5/16/2024 7:00:00 PM
E. Europe Standard Time-(UTC+02:00) Chisinau 5/16/2024 7:00:00 PM
West Bank Standard Time-(UTC+02:00) Gaza, Hebron 5/16/2024 7:00:00 PM
South Africa Standard Time-(UTC+02:00) Harare, Pretoria 5/16/2024 6:00:00 PM
FLE Standard Time-(UTC+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius 5/16/2024 7:00:00 PM
Israel Standard Time-(UTC+02:00) Jerusalem 5/16/2024 7:00:00 PM
South Sudan Standard Time-(UTC+02:00) Juba 5/16/2024 6:00:00 PM
Kaliningrad Standard Time-(UTC+02:00) Kaliningrad 5/16/2024 6:00:00 PM
Sudan Standard Time-(UTC+02:00) Khartoum 5/16/2024 6:00:00 PM
Libya Standard Time-(UTC+02:00) Tripoli 5/16/2024 6:00:00 PM
Namibia Standard Time-(UTC+02:00) Windhoek 5/16/2024 6:00:00 PM
Jordan Standard Time-(UTC+03:00) Amman 5/16/2024 7:00:00 PM
Arabic Standard Time-(UTC+03:00) Baghdad 5/16/2024 7:00:00 PM
Syria Standard Time-(UTC+03:00) Damascus 5/16/2024 7:00:00 PM
Turkey Standard Time-(UTC+03:00) Istanbul 5/16/2024 7:00:00 PM
Arab Standard Time-(UTC+03:00) Kuwait, Riyadh 5/16/2024 7:00:00 PM
Belarus Standard Time-(UTC+03:00) Minsk 5/16/2024 7:00:00 PM
Russian Standard Time-(UTC+03:00) Moscow, St. Petersburg 5/16/2024 7:00:00 PM
E. Africa Standard Time-(UTC+03:00) Nairobi 5/16/2024 7:00:00 PM
Volgograd Standard Time-(UTC+03:00) Volgograd 5/16/2024 7:00:00 PM
Iran Standard Time-(UTC+03:30) Tehran 5/16/2024 7:30:00 PM
Arabian Standard Time-(UTC+04:00) Abu Dhabi, Muscat 5/16/2024 8:00:00 PM
Astrakhan Standard Time-(UTC+04:00) Astrakhan, Ulyanovsk 5/16/2024 8:00:00 PM
Azerbaijan Standard Time-(UTC+04:00) Baku 5/16/2024 8:00:00 PM
Russia Time Zone 3-(UTC+04:00) Izhevsk, Samara 5/16/2024 8:00:00 PM
Mauritius Standard Time-(UTC+04:00) Port Louis 5/16/2024 8:00:00 PM
Saratov Standard Time-(UTC+04:00) Saratov 5/16/2024 8:00:00 PM
Georgian Standard Time-(UTC+04:00) Tbilisi 5/16/2024 8:00:00 PM
Caucasus Standard Time-(UTC+04:00) Yerevan 5/16/2024 8:00:00 PM
Afghanistan Standard Time-(UTC+04:30) Kabul 5/16/2024 8:30:00 PM
West Asia Standard Time-(UTC+05:00) Ashgabat, Tashkent 5/16/2024 9:00:00 PM
Qyzylorda Standard Time-(UTC+05:00) Astana 5/16/2024 9:00:00 PM
Ekaterinburg Standard Time-(UTC+05:00) Ekaterinburg 5/16/2024 9:00:00 PM
Pakistan Standard Time-(UTC+05:00) Islamabad, Karachi 5/16/2024 9:00:00 PM
India Standard Time-(UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi 5/16/2024 9:30:00 PM
Sri Lanka Standard Time-(UTC+05:30) Sri Jayawardenepura 5/16/2024 9:30:00 PM
Nepal Standard Time-(UTC+05:45) Kathmandu 5/16/2024 9:45:00 PM
Central Asia Standard Time-(UTC+06:00) Bishkek 5/16/2024 10:00:00 PM
Bangladesh Standard Time-(UTC+06:00) Dhaka 5/16/2024 10:00:00 PM
Omsk Standard Time-(UTC+06:00) Omsk 5/16/2024 10:00:00 PM
Myanmar Standard Time-(UTC+06:30) Yangon (Rangoon) 5/16/2024 10:30:00 PM
SE Asia Standard Time-(UTC+07:00) Bangkok, Hanoi, Jakarta 5/16/2024 11:00:00 PM
Altai Standard Time-(UTC+07:00) Barnaul, Gorno-Altaysk 5/16/2024 11:00:00 PM
W. Mongolia Standard Time-(UTC+07:00) Hovd 5/16/2024 11:00:00 PM
North Asia Standard Time-(UTC+07:00) Krasnoyarsk 5/16/2024 11:00:00 PM
N. Central Asia Standard Time-(UTC+07:00) Novosibirsk 5/16/2024 11:00:00 PM
Tomsk Standard Time-(UTC+07:00) Tomsk 5/16/2024 11:00:00 PM
China Standard Time-(UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi 5/17/2024 12:00:00 AM
North Asia East Standard Time-(UTC+08:00) Irkutsk 5/17/2024 12:00:00 AM
Singapore Standard Time-(UTC+08:00) Kuala Lumpur, Singapore 5/17/2024 12:00:00 AM
W. Australia Standard Time-(UTC+08:00) Perth 5/17/2024 12:00:00 AM
Taipei Standard Time-(UTC+08:00) Taipei 5/17/2024 12:00:00 AM
Ulaanbaatar Standard Time-(UTC+08:00) Ulaanbaatar 5/17/2024 12:00:00 AM
Aus Central W. Standard Time-(UTC+08:45) Eucla 5/17/2024 12:45:00 AM
Transbaikal Standard Time-(UTC+09:00) Chita 5/17/2024 1:00:00 AM
Tokyo Standard Time-(UTC+09:00) Osaka, Sapporo, Tokyo 5/17/2024 1:00:00 AM
North Korea Standard Time-(UTC+09:00) Pyongyang 5/17/2024 1:00:00 AM
Korea Standard Time-(UTC+09:00) Seoul 5/17/2024 1:00:00 AM
Yakutsk Standard Time-(UTC+09:00) Yakutsk 5/17/2024 1:00:00 AM
Cen. Australia Standard Time-(UTC+09:30) Adelaide 5/17/2024 1:30:00 AM
AUS Central Standard Time-(UTC+09:30) Darwin 5/17/2024 1:30:00 AM
E. Australia Standard Time-(UTC+10:00) Brisbane 5/17/2024 2:00:00 AM
AUS Eastern Standard Time-(UTC+10:00) Canberra, Melbourne, Sydney 5/17/2024 2:00:00 AM
West Pacific Standard Time-(UTC+10:00) Guam, Port Moresby 5/17/2024 2:00:00 AM
Tasmania Standard Time-(UTC+10:00) Hobart 5/17/2024 2:00:00 AM
Vladivostok Standard Time-(UTC+10:00) Vladivostok 5/17/2024 2:00:00 AM
Lord Howe Standard Time-(UTC+10:30) Lord Howe Island 5/17/2024 2:30:00 AM
Bougainville Standard Time-(UTC+11:00) Bougainville Island 5/17/2024 3:00:00 AM
Russia Time Zone 10-(UTC+11:00) Chokurdakh 5/17/2024 3:00:00 AM
Magadan Standard Time-(UTC+11:00) Magadan 5/17/2024 3:00:00 AM
Norfolk Standard Time-(UTC+11:00) Norfolk Island 5/17/2024 3:00:00 AM
Sakhalin Standard Time-(UTC+11:00) Sakhalin 5/17/2024 3:00:00 AM
Central Pacific Standard Time-(UTC+11:00) Solomon Is., New Caledonia 5/17/2024 3:00:00 AM
Russia Time Zone 11-(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky 5/17/2024 4:00:00 AM
New Zealand Standard Time-(UTC+12:00) Auckland, Wellington 5/17/2024 4:00:00 AM
UTC+12-(UTC+12:00) Coordinated Universal Time+12 5/17/2024 4:00:00 AM
Fiji Standard Time-(UTC+12:00) Fiji 5/17/2024 4:00:00 AM
Kamchatka Standard Time-(UTC+12:00) Petropavlovsk-Kamchatsky - Old 5/17/2024 5:00:00 AM
Chatham Islands Standard Time-(UTC+12:45) Chatham Islands 5/17/2024 4:45:00 AM
UTC+13-(UTC+13:00) Coordinated Universal Time+13 5/17/2024 5:00:00 AM
Tonga Standard Time-(UTC+13:00) Nuku'alofa 5/17/2024 5:00:00 AM
Samoa Standard Time-(UTC+13:00) Samoa 5/17/2024 5:00:00 AM
Line Islands Standard Time-(UTC+14:00) Kiritimati Island 5/17/2024 6:00:00 AM

Webinar Registration

This is a story of a hack that begins in the multi-cloud world – particularly with respect to how authentication in the cloud today is facilitated by the use of tokens. And that in itself is an interesting and valuable investigation. But thanks to the transparency of Cloudflare, there’s much more to be learned by the rest of the story that details how attackers can leverage a chain of vulnerabilities to burrow into a target’s network but be ultimately blocked, thanks to an organization’s vigilance and prior assumption of compromise. This story is both a cautionary tale but also one with a comparatively happy ending along the lines of the Apollo 13 “successful failure”.

In this real training for free event, I will begin by reviewing the ubiquitous authentication constructs used to link clouds together:

  • OpenID Connect
  • Auth 2.0.
  • JSON Web Tokens (JWTs)

Cloud authentication and authorization is a multi-party volley of token passing between clients, relying parties, providers and I’ll explain the difference between:

  • ID tokens
  • Refresh tokens
  • Access tokens

Then we will pivot from that background to the latest Cloudflare/Okta incident. Cloudflare is an Okta customer, and the story begins with a token stolen from Okta’s customer support system – from within files uploaded by a Cloudflare employee apparently pursuing a support case with Okta. The fact that these tokens are “bearer” tokens is the first important lesson. You may eliminate passwords with OpenID Connect and Auth 2.0 but now you have to be very careful with tokens.

After that I’ll take you through the rest of what we know about how the attacker was able to access Cloudflare’s Atlassian environment in a complex attack chain that involves multiple MITRE ATT&CK tactics, including:

  • Reconnaissance
  • Initial Access
  • Execution
  • Persistence
  • Credential Access
  • Lateral Movement
  • Collection
  • Exfiltration

Cloudflare is courageous in how much information they shared – including their mistakes - but that courage serves to build confidence and protect their credibility. As you will see, the attackers got in – but they only got so far. And I’ll finish up by discussing the important role zero trust architecture and the hard authentication tokens (not to be confused with the web tokens above) played in limiting the scope and damage to Cloudflare. It’s important to note that Cloudflare reports no customer information was compromised in this attack.

LogRhythm is my sponsor for this real training for free session and their threat research team actually suggested this topic. Many of you will remember awesome sessions in the past where Brian Coulson, Senior Threat Research Engineer at LogRhythm, joined me and this time, he will be joined by Sally Vincent, Senior Threat Research Engineer at LogRhythm. They will pick up where I left off by showing you how LogRhythm Axon, a cloud-native SIEM platform, can help you identify and threat hunt in a compromised environment and giving takeaway advice to avoid similar breaches in your own organization.

Please join us for this real training for free session.
First Name:  
Last Name:  
Work Email:  
Phone:
Organization:
Country:  
State:
Zip/Postal Code:
Job Title:
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.
 

 

Upcoming Webinars
Additional Resources