BENGALURU, December 13, 2022 — Researchers at CloudSEK observed that for Atlassian products - Jira, Confluence, and BitBucket, cookies are not invalidated, even if the password is changed, with 2FA (Two-factor Authentication) enabled, as the cookie validity is 30 days. They only expire when the user logs out, or after 30 days.
CloudSEK researchers have identified that this flaw can be leveraged by threat actors to take over hundreds of companies’ Jira accounts. Our records show over 1,282,859 compromised computers and 16,201 Jira cookies for sale on dark web marketplaces. And just in the last 30 days, over 2,937 compromised computers and 246 Jira credentials were made available. In the past 90 days, we have observed at least one compromised computer from a Fortune 1000 company. This is just considering their primary domains, not their subsidiaries. (Check the complete blog)
The new finding came after Dec 06, 2022, when CloudSEK disclosed a cyber attack directed at the company. During the course of the investigation into the root cause of the incident, the internal investigation team identified that the threat actor gained access to a CloudSEK employee’s Jira account, using Jira session cookies present in stealer logs being sold on the dark web.
CloudSEK is releasing a free tool that lets companies check if their compromised computers and Jira accounts are being advertised on dark web marketplaces.
With over 10 million users across 180,000 companies, including 83% of Fortune 500 companies, Atlassian products are widely used across the globe. And threat actors are actively exploiting this flaw to compromise enterprise Jira accounts.
Stolen Atlassian Cookies Can Lead to Unauthorized Account Access even if 2FA enabled
CloudSEK’s investigation shows that cookies of Atlassian products remain valid for a period of 30 days, even if the password is changed and 2FA is enabled. Hence, threat actors can restore Jira, Confluence, Trello, or BitBucket sessions, using stolen cookies, even if they don’t have access to Multi-factor Authentication (MFA), OTP/ PIN. The cookies, by default, expire when the user logs out, or after 30 days.(Check the complete blog)
This is a known issue, and most companies do not consider it to be within the scope of security reporting, because to use this and get into systems, tokens are required.
However, it is no longer very difficult for threat actors to get their hands on these tokens. With the rise in device compromise campaigns, breaches, and password leaks, cookie theft has become commonplace. And cookies are available for sale and one can simply search for a company, buy their logs, find relevant tokens to gain access to their internal systems. In the last 30 days, more than 200unique instances of atlassian.net related credentials/ cookies have been put up for sale on darkweb marketplaces. Given that the credentials were put up for sale in the last 30 days, it is highly likely that many of them are still active.
In the case of Atlassian products, only one JSON web token (JWT) is required to hijack a session i.e.cloud.session.token. Atlassian JWT (JSON Web Token) tokens have the email address embedded in the cookie. Hence, it is easy to determine which user the cookie belongs to.
You can check if your organization’s data is available for sale on dark web marketplaces here.