BENGALURU, December 13, 2022 — Researchers at CloudSEK noticed that for Atlassian merchandise – Jira, Confluence, and BitBucket, cookies are usually not invalidated, even when the password is modified, with 2FA (Two-factor Authentication) enabled, because the cookie validity is 30 days. They solely expire when the consumer logs out, or after 30 days.
CloudSEK researchers have recognized that this flaw might be leveraged by menace actors to take over a whole bunch of corporations’ Jira accounts. Our data present over 1,282,859 compromised computer systems and 16,201 Jira cookies on the market on darkish net marketplaces. And simply within the final 30 days, over 2,937 compromised computer systems and 246 Jira credentials had been made obtainable. In the previous 90 days, we’ve noticed at the very least one compromised pc from a Fortune 1000 firm. This is simply contemplating their main domains, not their subsidiaries. (Check the entire weblog)
The new discovering got here after Dec 06, 2022, when CloudSEK disclosed a cyber assault directed on the firm. During the course of the investigation into the basis reason for the incident, the interior investigation crew recognized that the menace actor gained entry to a CloudSEK worker’s Jira account, utilizing Jira session cookies current in stealer logs being offered on the darkish net.
CloudSEK is releasing a free software that lets corporations examine if their compromised computer systems and Jira accounts are being marketed on darkish net marketplaces.
With over 10 million customers throughout 180,000 corporations, together with 83% of Fortune 500 corporations, Atlassian merchandise are broadly used throughout the globe. And menace actors are actively exploiting this flaw to compromise enterprise Jira accounts.
Stolen Atlassian Cookies Can Lead to Unauthorized Account Access even when 2FA enabled
CloudSEK’s investigation reveals that cookies of Atlassian merchandise stay legitimate for a interval of 30 days, even when the password is modified and 2FA is enabled. Hence, menace actors can restore Jira, Confluence, Trello, or BitBucket periods, utilizing stolen cookies, even when they don’t have entry to Multi-factor Authentication (MFA), OTP/ PIN. The cookies, by default, expire when the consumer logs out, or after 30 days.(Check the entire weblog)
This is a identified concern, and most corporations don’t contemplate it to be inside the scope of safety reporting, as a result of to make use of this and get into techniques, tokens are required.
However, it’s not very troublesome for menace actors to get their arms on these tokens. With the rise in gadget compromise campaigns, breaches, and password leaks, cookie theft has change into commonplace. And cookies can be found on the market and one can merely search for an organization, purchase their logs, discover related tokens to achieve entry to their inner techniques. In the final 30 days, greater than 200unique cases of atlassian.internet associated credentials/ cookies have been put up on the market on darkweb marketplaces. Given that the credentials had been put up on the market within the final 30 days, it’s extremely possible that lots of them are nonetheless lively.
In the case of Atlassian merchandise, just one JSON net token (JWT) is required to hijack a session i.e.cloud.session.token. Atlassian JWT (JSON Web Token) tokens have the e-mail handle embedded within the cookie. Hence, it’s straightforward to find out which consumer the cookie belongs to.
You can examine in case your group’s knowledge is offered on the market on darkish net marketplaces right here.