In a recent podcast interview with Cybercrime Magazine's Host, Charlie Osborne, Scott Schober, Cyber Expert, Author, and CEO of Berkeley Varitronics Systems, discusses the latest breach at Cloudflare, which has since been attributed to nation-state hackers. The podcast can be listened to in its entirety below.
Q: Scott, welcome. Thank you for joining us today.
A: Hey, great to be with you.
Q: So today, we're going to be discussing a cyber security incident recently disclosed by Cloudflare. The intrusion took place between November 14th and 24th last year. Now, Cloudflare detected the cybercriminals and their intrusion attempt on Thanksgiving. So, to start, Scott, I'd like to talk about the time of the intrusion. Do you think Thanksgiving for an intrusion attempt was deliberate?
A: Yeah, I think so; because of just the amount of web traffic at that time, a lot of people are distracted, especially here in the US. And probably about half of Cloudflare's customers are based out of the US. So it certainly seems to be closely timed to that. And it's really built upon the credentials that were compromised prior in October that allowed them to actually kind of perpetrate the attack and get in. So it seems like the timing of this whole thing definitely was planned for around the Thanksgiving timeframe to be not noticed too much, I guess you could say.
Q: Exactly when I looked at the actual date, what came to mind when it comes to skeleton crews because it being a major sort of holiday, perhaps fewer eyes means less of a chance to be actually found out. Right?
A: Yeah, absolutely. And that certainly works well, even with traditional crimes. Criminals will kind of plan ahead of time, "When's the least amount of chance that we'll get discovered or seen?" And the same is true because they're actually watching traffic, things that are going in and out, servers, and different types of anomalies that will be detected. If there's less eyes there, and less people to detect it, it may go unnoticed.
Q: And when it comes to the credentials, as you mentioned, after spending several days performing a bit of reconnaissance, Cloudflare said that persistent access was achieved through Cloudflare's Atlassian server. So, the threat actors used one access token and 3 service account credentials that had been stolen. Cloudflare also said that it had failed to rotate the credentials following the opt compromise. So, Scott, "failed to rotate," Can you explain to our listeners what this means and why it's important?
A: Yeah. Well, they have to go in and rotate things every so often, actual credentials in line, in case there's a compromise to keep it as secure as possible, and I guess what they didn't really do was stay on top of this. They didn't do their due diligence and do this, which they let their guard down, and perhaps that's what they were hoping for, the perpetrators, trying to get in. And they said, "Jeez, let's find the right time," as you mentioned, their Thanksgiving. If they're not on top of the security and rotating credentials and making it difficult for anybody to ever get in. Let's move in. And they waited for the right time, and they moved in there.
Because it seems like the attackers also were doing some recon and probing and checking to see. And even as it got into the story more, and learning about it, it seems like they did several different things. But they didn't really exfiltrate a lot of data. They were really doing some recon, learning about and gathering information about the backup systems and how things worked. And oftentimes, I think that's what's interesting. Sometimes hackers want to get into systems, sit there a while, and just observe. They want to see how traffic moves, how backups are handled, who has access to the network, especially remotely.
And I do want to point out the sheer size of Cloudflare is important to understand. They handle over, I think, 7.5 million websites that are active using the Cloudflare brand. They've got over 4 million customers, and as I mentioned earlier, about 50% of that is just based in the US, the other 50% is spread throughout the globe. So, if you think about it, they're a giant company. It's an American-based company, and they really focus in on content delivery of network services, cybersecurity in the cloud, the DDoS mitigation. So, they do a whole lot of things to help other companies stay safe and keep their data safe. So it shows you how much exposure potentially could happen if somebody can get in there, just observe, collect, and then do damage later on.
Q: I'm glad you mentioned that, Scott, because, according to Cloudflare, the attack was carried out with the goal of obtaining persistent and widespread access to Cloudflare's global network. So when it comes to these sort of incidents, when you have major companies being compromised, what would obtaining access to this network and quietly and covertly potentially achieve? I mean, what could have been the overall aim, do you think?
A: Well, we don't fully know. However, it is highly likely, and I guess it's not proven yet, but they believe it's a nation-state attack. So, if you think about what the threat actor might be doing that might be leveraging some of that information that they were able to garnish and learn for future attacks.
So, anytime it's a nation-state attack. You have to think about national security. What's behind it? Are they targeting, perhaps, a particular niche or vertical? Maybe it's critical infrastructure or something else. Right away, what pops into my mind is China behind it? Is Russia behind it? I don't know for a fact, but those are the types of things that pop up because this was not an everyday attack that we hear about in the headlines. This was a very well-crafted and orchestrated attack with knowledgeable threat actors and most likely nation-state-sponsored. So it helps you see it in a much higher degree, and henceforth, it could be much more threatening in the long run.
Q: And are there any particular indicators that separate typical cyber criminals and nation-state groups?
A: It's a little tough because they all play the games now, and a lot of their codes and scripts, they actually will embed things to throw those that are doing the investigation after the fact. In other words, if you go into the code, there's little breadcrumb trails. They may leave purposefully breadcrumb trails. So it looks like, oh, these are probably Romanian hackers However, it may actually be Chinese hackers that are in there. So it's really difficult.
I do have to say, looking at the scope and the size of it, and seeing how fast it was kind of contained, was only over a short period of days. If you think about it, that they actually were able to contain and know what exactly happened. Again, some of it didn't go public immediately, and I think that's because the investigation does take a period of time, and they did bring in Crowdstrike, doing forensic analysis and their own analysis. So to do their due diligence, do it right, and working with law enforcement and everybody. I think they handled it right, and they handled it quickly and prevented it from getting any worse.
There's always possibilities that things are left in the network that are going to pop up later or have another back door that they left in. But it seems like they actually did a great job in containing it in a short period of time and minimizing the damage. And I think it kind of tells all of us importance when somebody has such a wide scope of interaction with other companies such as they do. As I mentioned, millions of customers. They have to be prepared for this, almost anticipate that they're going to be hacked, and how they can actually handle it and inform everybody. "Hey, here's what we believe happened. Here's what we believe they were after. We believe that this is a group behind it, a nation-state-sponsored group. But here's what we're doing going forward. So it doesn't keep happening again." And I think they did a pretty good job doing that from all the research that I've done,
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak, that's C-I-M-C-O-R.com /C-I-M-T-R-A-K.
And now, back to the podcast.
Q: Cloudflare did emphasize that no customer data or systems were impacted by the event due to their use of access controls, firewall rules, and also the use of what they call 'hard security keys,' enforced using Zero Trust tools. In your experience, how important are these kinds of security mechanisms for organizations in order to mitigate attacks?
A: I think it's really important, especially as threats have evolved and cybercriminals are really getting smarter and they're better using technology to automate some of these attacks. You think of something just as you mentioned, they're just the Zero Trust model where really they have to make certain assumptions that they really can't trust anybody. It may look like a remote user connecting into the server and the network. But they have to make certain assumptions. Hey, we don't trust them until they can prove who they are and authenticate that particular user before we grant them access. And when we do grant them access, we're only going to grant them access to this particular part of the network, and we're able to monitor it. So by having those mechanisms in place, it can minimize the damage if and when somebody is able to fool the network and fool the cyber security protocols that they have in place. So models like Zero Trust and some of these more modern ones, I think are really important, that not only do they throw around the buzzword, but they're actually using them, implementing and minimizing any damage. I don't think it's fair to say any company or network that can actually prevent this from happening 100%, I know. That's really scary to say. But again and again and again, we hear about huge organizations down to small businesses. They're all vulnerable. There are weaknesses, and cybercriminals are going to exploit them. That being said, all of us do well to put all the basic provisions in place to minimize the chances of it happening and anticipating that it's going to happen. So if and when it does happen, we can respond. As owners of a business or large companies like this, they could bring in the right help to stop it from getting any worse. And I think that's really important to control. You're kind of controlling your risks. Yeah, you're going to have cyber insurance, and you're going to have a great team, but you're also going to have partners you could bring in and work through this and remediate and post-breach, have an investigation. So you learn something, and you walk away, and it doesn't keep happening again and getting worse.
Q: And on that note, Scott, do you have any further advice for organizations hoping to improve their security posture?
A: I do think it's very important to not get lost in the technical jargon, especially as you dive into stories like this, more of a technical story, but the average person reading about this and digging in kind of gets lost in a lot of the acronyms. But there's a lesson for all of us to learn. That any time there is remote access into any type of network, there's vulnerabilities. So, we need to make sure that we identify upfront, what are those weaknesses? What are those vulnerabilities? How can a cybercriminal get in? Is it from the inside? Because there are insider threats that can happen. Most of the time, it's compromised credentials from the outside, and hackers are just pounding away until they can get into that one little weakness.
We can't stop every single spot for them, the weakness that they're trying to exploit. But we can really try hard to do it. So, I think education comes into play with everybody within the organization. Why? Because it could be the guy that's working the third shift that's just monitoring some of the activity on the network that notices some anomaly, something a little bit different. He gets a red flag. He's got to react to that. So that's where training and awareness, especially in this when you're tied into that many customers is really paramount. So it tells all business owners and all organizations keep training, keep educating, and work with trusted partners so you could stay on top of it, prevent things like this from happening, but also be prepared, if it does happen, how you can best respond.
Q: Scott, thank you for taking the time. Share your expertise with me and our listeners today.
A: Great to be with you. Thank you so much.
February 22, 2024