BENGALURU, December 13, 2022 — Researchers at CloudSEK noticed that for Atlassian merchandise – Jira, Confluence, and BitBucket, cookies are usually not invalidated, even when the password is modified, with 2FA (Two-factor Authentication) enabled, because the cookie validity is 30 days. They solely expire when the consumer logs out, or after 30 days.
CloudSEK researchers have recognized that this flaw will be leveraged by risk actors to take over tons of of corporations’ Jira accounts. Our data present over 1,282,859 compromised computer systems and 16,201 Jira cookies on the market on darkish internet marketplaces. And simply within the final 30 days, over 2,937 compromised computer systems and 246 Jira credentials have been made obtainable. Prior to now 90 days, now we have noticed at the very least one compromised laptop from a Fortune 1000 firm. That is simply contemplating their main domains, not their subsidiaries. (Examine the entire weblog)
The brand new discovering got here after Dec 06, 2022, when CloudSEK disclosed a cyber assault directed on the firm. In the course of the course of the investigation into the basis reason for the incident, the inner investigation staff recognized that the risk actor gained entry to a CloudSEK worker’s Jira account, utilizing Jira session cookies current in stealer logs being offered on the darkish internet.
CloudSEK is releasing a free instrument that lets corporations verify if their compromised computer systems and Jira accounts are being marketed on darkish internet marketplaces.
With over 10 million customers throughout 180,000 corporations, together with 83% of Fortune 500 corporations, Atlassian merchandise are extensively used throughout the globe. And risk actors are actively exploiting this flaw to compromise enterprise Jira accounts.
Stolen Atlassian Cookies Can Result in Unauthorized Account Entry even when 2FA enabled
CloudSEK’s investigation exhibits that cookies of Atlassian merchandise stay legitimate for a interval of 30 days, even when the password is modified and 2FA is enabled. Therefore, risk actors can restore Jira, Confluence, Trello, or BitBucket periods, utilizing stolen cookies, even when they don’t have entry to Multi-factor Authentication (MFA), OTP/ PIN. The cookies, by default, expire when the consumer logs out, or after 30 days.(Examine the entire weblog)
It is a recognized concern, and most corporations don’t take into account it to be inside the scope of safety reporting, as a result of to make use of this and get into programs, tokens are required.
Nonetheless, it’s not very tough for risk actors to get their arms on these tokens. With the rise in machine compromise campaigns, breaches, and password leaks, cookie theft has turn out to be commonplace. And cookies can be found on the market and one can merely search for an organization, purchase their logs, discover related tokens to realize entry to their inner programs. Within the final 30 days, greater than 200unique cases of atlassian.internet associated credentials/ cookies have been put up on the market on darkweb marketplaces. Provided that the credentials have been put up on the market within the final 30 days, it’s extremely possible that lots of them are nonetheless lively.
Within the case of Atlassian merchandise, just one JSON internet token (JWT) is required to hijack a session i.e.cloud.session.token. Atlassian JWT (JSON Internet Token) tokens have the e-mail deal with embedded within the cookie. Therefore, it’s straightforward to find out which consumer the cookie belongs to.
You may verify in case your group’s knowledge is offered on the market on darkish internet marketplaces right here.