#100 - A tale of two breaches: examining the AnyDesk & Cloudflare incidents
In this episode of The Cybersecurity Defenders Podcast, we take a close look at the AnyDesk and Cloudflare breaches that were both disclosed on February 2, 2024.
AnyDesk, a prominent remote desktop software provider, disclosed a cyberattack late on February 2nd, causing the company to enforce strict security measures for nearly a week. Adversaries breached AnyDesk's systems, compromising vital assets such as source code and private code signing keys, and gaining unauthorized access to production systems.
For more on AnyDesk's breach, see the following references:
https://techcrunch.com/2024/02/05/remote-access-giant-anydesk-resets-passwords-and-revokes-certificates-after-hack/
https://anydesk.com/en/public-statement
https://www.infosecurity-magazine.com/news/anydesk-hit-cyberattack-customer/
https://www.helpnetsecurity.com/2024/02/05/anydesk-hacked/
https://thehackernews.com/2024/02/anydesk-hacked-popular-remote-desktop.html
On the other front, Cloudflare disclosed that a nation-state actor infiltrated their self-hosted Atlassian server on November 14, 2023, utilizing stolen access tokens and service account credentials from the Okta breach. The threat actor conducted reconnaissance activities from November 14th to 17th, gaining access to Cloudflare's internal wiki and bug database.
Additional access attempts on November 20th and 21st indicated the actor's persistence, culminating in establishing continuous access through ScriptRunner for Jira on November 22nd. Finally, they tried, unsuccessfully, to access a console server that had access to a data center that Cloudflare had not yet put into production in São Paulo, Brazil.
For more details on Cloudflare's breach, consult the following sources:
https://www.csoonline.com/article/1303785/nation-state-actor-used-recent-okta-compromises-to-hack-into-cloudflare-systems.html
https://www.techtarget.com/searchsecurity/news/366568694/Cloudflare-discloses-breach-related-to-stolen-Okta-data
https://www.computing.co.uk/news/4170126/cloudflare-server-breached-suspected-sponsored-threat-actors