Cloudflare, OKTA Hacked

This is Cloudflare&#x27;s official statement (I work for Cloudflare):<p>This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised. The cameras were located in offices that have been officially closed for nearly a year.<p>As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. No customer data or processes have been impacted by this incident.<p>This incident emphasizes the importance of the Zero Trust model that Cloudflare follows and provides to customers, which ensures that if any one system or vendor is compromised, it does not compromise the entire organization. Unlike the previous castle-and-moat approach, a Zero Trust model functions more like bulkheads in a ship, making sure that a leak in one place doesn’t sink the entire ship.

A couple boxes, likely VLAN&#x27;d off, were popped.<p>Note in both screenshots, copious amounts of &#x27;mmcblk0pXX&#x27;, that looks like an embedded device. Probably the same cameras this group found vulns in. The idea that those cameras somehow give access to all of cloudflare, or all of OKTA, is wrong and clickbait and sensationalist.<p>By the way, according to github [1] this girl is in Switzerland. There exist extradition treaties, and she is not operating under a pseudonym. These are publicly traded companies. She could very easily find herself in prison for this.<p>[1]: <a href="https:&#x2F;&#x2F;github.com&#x2F;deletescape" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;deletescape</a><p>edit: wording.

It&#x27;s very interesting that both Cloudflare and Tesla have the exact same disk setup on such important systems on their corporate networks, down to the numerous strangely small partitions on MMC.<p>Oh, wait, neither Cloudflare nor Okta were hacked. Crappy IoT devices on their networks - quite likely isolated or untrusted - were hacked.<p>Frankly if these companies trusted their &#x27;corporate networks&#x27;, THAT would be the story here. But the fact that someone hacked their cameras was both posted here a few hours ago[1] and not news[2].<p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26405056" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26405056</a><p>[2] Seriously! How is &quot;more IoT devices hacked&quot; still a story? It&#x27;s literally a continuous occurrence. Piss off.

A later tweet claims they got access through a vulnerability in the Verkada security cameras used by these companies: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;nyancrimew&#x2F;status&#x2F;1369442432639770624" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;nyancrimew&#x2F;status&#x2F;1369442432639770624</a><p>That&#x27;s not good, but it&#x27;s bullshit to claim, &quot;if we wanted to we could have probably owned half the internet in like a week.&quot; I seriously doubt that any of these companies have their security cameras on the same networks as anything sensitive, let alone production infrastructure. Heck, I doubt that any have their cameras on the same networks as developer machines (which are used on public networks all the time and can have all kinds of dubious software installed on them).

I miss pwn4ge like this, but even this was kind of weak because they didn&#x27;t do anything funny and also damaging, must be both<p>all we&#x27;ve gotten this decade were super quiet &quot;state-level actors&quot;, and uninspired trolls<p>I want the &quot;for the lulz&quot; ASCII art pros dropping MIDI music while also pillaging corporations and leaking secrets<p>make a festival out of it.<p>I think its coming, a hack that incorporates the best of the latest hacks. Like making a docker disk image of content that was leaked, so that all the other hackers (including the original hacker) have plausible deniability and don&#x27;t violate the CFAA

Devices such as cameras are usually isolated on their on VLAN. In addition just because you are on the network doesn&#x27;t really mean anything if there is a zero trust security model.

This is Okta&#x27;s official statement (I run Developer Advocacy at Okta):<p>The Okta service has not been impacted by the Verkada breach. After conducting further investigation, Okta determined that five Verkada cameras were compromised. These cameras were isolated and separate from Okta’s production and company networks. Okta does not employ facial recognition technology, and there is no evidence that any live streams were viewed during the limited access that occurred. Okta employs Verkada technology only in office entrances.

See also: this thread from 5 hours ago on the broader topic of the Verkada breach: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26405056" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26405056</a>

Their cameras? Big deal, it is an empty building over at Okta. I thought they meant they got into an Okta cell and I was very interested to hear how that was done.

They have access to Tesla warehouse webcam [1] (or at least they claimed so). Pretty crazy.<p>[1] <a href="https:&#x2F;&#x2F;twitter.com&#x2F;nyancrimew&#x2F;status&#x2F;1369388911693340674" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;nyancrimew&#x2F;status&#x2F;1369388911693340674</a>

<a href="http:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20210310004316&#x2F;https:&#x2F;&#x2F;twitter.com&#x2F;nyancrimew" rel="nofollow">http:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20210310004316&#x2F;https:&#x2F;&#x2F;twitter.co...</a>

Oh, fuck. Cloudflare aside, Okta is huge for enterprise SSO throughout our industry. I can hear our infosec group having kittens as we speak.

<i>&gt; if we wanted to we could have probably owned half the internet in like a week.</i><p>Oh, skids. Pop a single shell in a disposable environment in some corporate hellscape cloud infra and they think they can pwn the interwebs. I&#x27;m sure you could root some shitty Fargate container of some shitty web app in my company, too, but you literally can&#x27;t get to any other network from it.<p>They&#x27;ll be dining out on this for <i>years</i> on irc. (do the kids still irc? is twitter the new irc?)<p>Blah blah Twitter makes for crap HN articles etc

Well we were testing Verkada cameras for the office. Guess they are going back to california tomorrow.

This is going to continue blowing up the cyber insurance insurance market for startups.

Holy crap. This is huge.