Cloudflare, OKTA Hacked
twitter.comThis is Cloudflare's official statement (I work for Cloudflare):
This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised. The cameras were located in offices that have been officially closed for nearly a year.
As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. No customer data or processes have been impacted by this incident.
This incident emphasizes the importance of the Zero Trust model that Cloudflare follows and provides to customers, which ensures that if any one system or vendor is compromised, it does not compromise the entire organization. Unlike the previous castle-and-moat approach, a Zero Trust model functions more like bulkheads in a ship, making sure that a leak in one place doesn’t sink the entire ship.
Incidentally this breach is not specific to Cloudflare, it affects lots of companies:
https://www.theverge.com/2021/3/9/22322122/verkada-hack-1500...
Hackers gained access to over 150,000 of [Verkada]’s cameras, including cameras in Tesla factories and warehouses, Cloudflare offices, Equinox gyms, hospitals, jails, schools, police stations, and Verkada’s own offices, Bloomberg reports.
That sounds bad, if you have camera footage of people entering passwords into their computers, you can gain access to lots of other things.
Unless they use two factor, which I sure hope they do.
Sounds like when someone "hacked" an airplane because they hacked into the OS of the entertainment systems.
It's been claimed that it was possible to bridge from the entertainment system network to the thrust management system of the aircraft, at least according to the FBI's warrant: https://www.independent.co.uk/news/world/americas/computer-e...
This sounds silly, of course, but it wouldn't surprise me if someone cheaped out somewhere and connected two networks that should never be connected together.
What would surprise me less would be companies connecting cameras to their Corp network...
except aircraft are much more likely to implement good network segregation as opposed to 150,000 random companies.
Most of the entertainment systems on airplanes were an afterthought that was implemented after the fact, not something built-in in the first place.
That’s kind of beside the point, any aircraft security staff involved would demand segregation. 150k random companies? Hell, 75% don’t even have security teams.
Great! Sounds like "we could have owned half the internet" was hyperbole.
Great pivot into "this illustrates our excellent security".
>The cameras were located in offices that have been officially closed for nearly a year.
This explanation begs the obvious question, why were they still connected to Cloudflare's internal network for nearly a year? Does Cloudflare just keep paying rent for 'officially closed' offices? Obviously this ArsonCats group is exaggerating the extent of the hack but this official explanation from Cloudflare doesn't exactly pass the sniff test either.
I don’t know about Cloudflare specifically, but almost every Cloudlfare-sized tech company in SF has had their offices closed to employees for a year. Most of them plan to reopen and are continuing to pay rent.
Under those circumstances it definitely makes sense to keep the cameras on.
I understand this and that's the point I'm trying to make here. The statement is just deflecting and downplaying the issue. What exactly does 'officially closed' mean? The office wasn't 'officially closed', it was unoccupied because of COVID. It was still paid for by Cloudflare and on it's network. The statement is purposefully misleading.
Occam’s razor. The simplest solution....
> Does Cloudflare just keep paying rent for 'officially closed' offices?
Well... yes. We intend to open them again when the pandemic is over.
Well, you'd also keep your security cameras on when going on vacation, it's just that covid is a lot more painful than a vacation.
"It's just going to be two weeks."
Paying rent for closed offices is common, especially with COVID. Commercial leases aren't usually 1 year like residential.
It's called a lease, but also it's likely some small numbers of staff visit the offices from time to time
A couple boxes, likely VLAN'd off, were popped.
Note in both screenshots, copious amounts of 'mmcblk0pXX', that looks like an embedded device. Probably the same cameras this group found vulns in. The idea that those cameras somehow give access to all of cloudflare, or all of OKTA, is wrong and clickbait and sensationalist.
By the way, according to github [1] this girl is in Switzerland. There exist extradition treaties, and she is not operating under a pseudonym. These are publicly traded companies. She could very easily find herself in prison for this.
[1]: https://github.com/deletescape
edit: wording.
In addition to tweeting photos of families and children in private homes [0] taken from hacked cameras, she tweeted a selfie with her full face [1] on the account which claimed responsibility for this hack. Lots of people with legal recourse may be embarrassed or outraged by this breach. Joking about "doing crime" [2][3] does not play well in court. She also seems to struggle with mental illness [4]. I don't see how this ends well for her.
[2] https://twitter.com/nyancrimew/status/1367871797631348738
[3] https://twitter.com/nyancrimew/status/1364598743564251136
[4] https://twitter.com/nyancrimew/status/1367523201174110216/ph...
EDIT: Her account is suspended. Provided archive links where available
It's very interesting that both Cloudflare and Tesla have the exact same disk setup on such important systems on their corporate networks, down to the numerous strangely small partitions on MMC.
Oh, wait, neither Cloudflare nor Okta were hacked. Crappy IoT devices on their networks - quite likely isolated or untrusted - were hacked.
Frankly if these companies trusted their 'corporate networks', THAT would be the story here. But the fact that someone hacked their cameras was both posted here a few hours ago[1] and not news[2].
[1] https://news.ycombinator.com/item?id=26405056
[2] Seriously! How is "more IoT devices hacked" still a story? It's literally a continuous occurrence. Piss off.
> quite likely isolated or untrusted - were hacked.
I disagree. From my experience there are many big corps out there that use VLANs but don't properly secure them. And even if they did I expect pivoting from these hosts would be trivial when compared to getting in externally.
Finally, these cameras aren't alone. They're often integrated into a centralized controller which has to be routable by both the cameras as well as the host/hosts required to review the footage. So even IF they were properly segmented there's still most likely a path to the 'corp' VLAN.
Cloudflare publicly states that they use a zero trust networking model. So, you can disagree with the facts all you want, but it won't change them.
BTW, the central controller for these cameras is "in the cloud". That's how they were hacked. Keep up.
A later tweet claims they got access through a vulnerability in the Verkada security cameras used by these companies: https://twitter.com/nyancrimew/status/1369442432639770624
That's not good, but it's bullshit to claim, "if we wanted to we could have probably owned half the internet in like a week." I seriously doubt that any of these companies have their security cameras on the same networks as anything sensitive, let alone production infrastructure. Heck, I doubt that any have their cameras on the same networks as developer machines (which are used on public networks all the time and can have all kinds of dubious software installed on them).
If you have security cameras though, doesn't that open up a huge amount of possibilities to deepen the intrusion? Just most obviously you can watch anyone log in to anything you can see and get some credentials that way. Sounds like these offices are closed, but I'm sure there's some clever way to get someone to need to log in to some machine. Or just be patient and wait.
Hell the offices being closed and having control of the security cameras offers what sounds a lot like the start of a great way to break in quietly and get physical access. How many systems do you know that are secure if you can touch them?
You can see the resolution of the cameras in some of the account's other tweets. It's not high enough to see information on the screen. Watching keyboard inputs might be possible, but even then I doubt the framerate is high enough to get all the keys.
More importantly: at most companies, accessing sensitive systems requires more than just a username and password. Pretty much every place requires TOTP or HOTP, often via a hardware token. Many firms also restrict access to specific machines.
Pretty much everything at Cloudflare requires, at the very least, a physical security key (e.g. yubikey) to get access.
Yeah 2fa is a good point. You'd really hope that anything important would require it, but not sure that's universally true. Social engineering attacks become a lot easier possibly, 2fa tends to need to be overridden a lot because people lose their tokens.
I didn't see the low res cameras, that should make it harder. I wouldn't be surprised if AI or tedium (view each frame, guess and check, etc.) could still get you passwords, but yeah it's starting to sound like more of a stretch. If the cameras have sound that should help get creds too.
That twitter account is now suspended. Would it be in relation to them tweeting about this breach..?
I miss pwn4ge like this, but even this was kind of weak because they didn't do anything funny and also damaging, must be both
all we've gotten this decade were super quiet "state-level actors", and uninspired trolls
I want the "for the lulz" ASCII art pros dropping MIDI music while also pillaging corporations and leaking secrets
make a festival out of it.
I think its coming, a hack that incorporates the best of the latest hacks. Like making a docker disk image of content that was leaked, so that all the other hackers (including the original hacker) have plausible deniability and don't violate the CFAA
Reminds me of this dude who hacked Russian Railways just for fun
https://meduza.io/en/feature/2021/01/21/thanks-for-the-data-...
Agreed. Max Headroom[0] should have been a sign of things to come rather than the pinnacle of this kind of thing.
[0] https://en.m.wikipedia.org/wiki/Max_Headroom_signal_hijackin...
I think the difference is that this decade the incentives are such that people with those skills can make millions and not be in jail.
Devices such as cameras are usually isolated on their on VLAN. In addition just because you are on the network doesn't really mean anything if there is a zero trust security model.
Ahhhhhh that was then, this is now. Everything is on the internet unless you're actually serious about security.
Not a huge deal though, this will hopefully cause them to look at truly closed circuit or isolated cameras.
CloudFlare & Okta is insane though.
Indeed! Here's the official Okta statement (I run Developer Advocacy at Okta):
The Okta service has not been impacted by the Verkada breach. After conducting further investigation, Okta determined that five Verkada cameras were compromised. These cameras were isolated and separate from Okta’s production and company networks. Okta does not employ facial recognition technology, and there is no evidence that any live streams were viewed during the limited access that occurred. Okta employs Verkada technology only in office entrances.
This is Okta's official statement (I run Developer Advocacy at Okta):
The Okta service has not been impacted by the Verkada breach. After conducting further investigation, Okta determined that five Verkada cameras were compromised. These cameras were isolated and separate from Okta’s production and company networks. Okta does not employ facial recognition technology, and there is no evidence that any live streams were viewed during the limited access that occurred. Okta employs Verkada technology only in office entrances.
See also: this thread from 5 hours ago on the broader topic of the Verkada breach: https://news.ycombinator.com/item?id=26405056
Their cameras? Big deal, it is an empty building over at Okta. I thought they meant they got into an Okta cell and I was very interested to hear how that was done.
They have access to Tesla warehouse webcam [1] (or at least they claimed so). Pretty crazy.
[1] https://twitter.com/nyancrimew/status/1369388911693340674
Oh, fuck. Cloudflare aside, Okta is huge for enterprise SSO throughout our industry. I can hear our infosec group having kittens as we speak.
Heyo, I run Developer Advocacy at Okta. Just FYI, here's our official statement on the news:
The Okta service has not been impacted by the Verkada breach. After conducting further investigation, Okta determined that five Verkada cameras were compromised. These cameras were isolated and separate from Okta’s production and company networks. Okta does not employ facial recognition technology, and there is no evidence that any live streams were viewed during the limited access that occurred. Okta employs Verkada technology only in office entrances.
> if we wanted to we could have probably owned half the internet in like a week.
Oh, skids. Pop a single shell in a disposable environment in some corporate hellscape cloud infra and they think they can pwn the interwebs. I'm sure you could root some shitty Fargate container of some shitty web app in my company, too, but you literally can't get to any other network from it.
They'll be dining out on this for years on irc. (do the kids still irc? is twitter the new irc?)
Blah blah Twitter makes for crap HN articles etc
Well we were testing Verkada cameras for the office. Guess they are going back to california tomorrow.
This is going to continue blowing up the cyber insurance insurance market for startups.
Holy crap. This is huge.