HQ/EMEAFind out how we can help your business
After the recent data breach incident on CloudSEK involving a threat actor gaining access to an employee’s Jira account, the company instigated an investigation and reported that its root cause was from all stolen session cookies in Atlassian products that have not been invalidated are sold on the dark web.
These affected Atlassian products include Jira, Confluence, Trello, and BitBucket. An analysis of this incident revealed that the session cookies on these products had not been invalidated even if the company changed passwords and activated two-factor authentication (2FA). This issue is because the session cookies only expire when a user logs out or becomes invalid after 30 days.
The security flaw in the affected Atlassian products resulted in hackers selling massive data on dark web marketplaces.
More than 1,282,800 compromised computers and 16,200 Jira session cookies were found being sold on dark web marketplaces due to the flaw in the Atlassian products. Thus, security researchers fear that other hackers can take over numerous companies’ Jira accounts if the flaw is not resolved.
Researchers have added that many threat actors have been actively exploiting the Atlassian flaw, considering its massive user base – with more than 10 million users from about 180,000 companies worldwide.
The 30-day validity of Atlassian products’ session cookies allowed attackers to restore web sessions using the stolen cookies. Moreover, they can complete this malicious task without access to one-time passwords from MFAs, as the cookies expire by default when the user promptly logs out or when the 30-day validity is over.
This flaw was overlooked despite being a known issue among companies that use Atlassian because, as per researchers, most companies do not bring it into security reporting as tokens are naturally required to access critical systems.
Conversely, threat actors could attain these access tokens since numerous breaches, data leaks, device compromises, and session cookie theft have been prevalent in the cybercriminal landscape. Malicious actors interested in these campaigns could now easily purchase a targeted company’s leaked logs and tokens, eventually giving them access to internal corporate systems.
From the researchers’ analysis, there have been over 200 unique instances of the discovered Atlassian cookies being sold on the dark web. Although, some of them could be expired after being put up for sale in the last 30 days.
Nonetheless, some of the victims’ data observed from the identified stealer log are IP addresses, screenshots, locations, installed software, language, visited websites’ plain text credentials, hardware configuration, session cookies, cryptocurrency wallet info, online banking details, and more.
Researchers also warned that Brazil, India, and the US are the countries with the most data in stealer logs. Mexico, Indonesia, the Philippines, Thailand, Turkey, Egypt, and Vietnam follow these top exposed countries.
As a preventive measure for companies to avoid being victims of the Atlassian flaw while a fix is yet released, it is strongly encouraged to direct employees to log out of sensitive platforms daily.
