Atlassian has refuted a cybersecurity company’s claim that they suffered a cyber-attack due to a bug in Atlassian products or by compromising Atlassian systems. The clarification came after the huge PR backlash Atlassian faced over the issue.
Atlassian’s security team opened an investigation on December 7 after cybersecurity company CloudSek issued an alert on unauthorized access to their Cloud account. The Atlassian probe proved that the hacker used session tokens, stolen by a piece of malware installed on one of the company’s computers. Subsequently, Atlassian invalidated the client’s affected session tokens.
“This incident was in no way caused by a vulnerability in Atlassian products or a compromise of Atlassian systems. Our security team did not find a vulnerability in Atlassian Cloud or On-Premise products or a breach of Atlassian systems related to the incident,” read the statement by Dan Hranj, Security Intelligence Team Lead at Atlassian.
Cyber-attack, damage control, and fault-finding
CloudSEK Lead Security Researcher Sparsh Kulshrestha published a blog post on December 13 as a follow-up on the cyber-attack that the company faced, squarely placing the blame on Atlassian products for such attacks.
“During the course of investigation into the root cause of the incident, the internal investigation team identified that the threat actor gained access to a CloudSEK employee’s Jira account, using Jira session cookies present in stealer logs being sold on the darkweb,” the post read.
“Following further investigation, it was found that for Atlassian products (Jira, Confluence, and BitBucket), cookies are not invalidated, even if the password is changed, with 2FA (Two-factor Authentication) enabled, as the cookie validity is 30 days,” it added.
The cybersecurity community quickly took up the post, resulting in a sector-wide PR backlash against Atlassian and its products Jira, Confluence, and BitBucket.
Warped discourse
Cybersecurity news and information handles on Twitter and LinkedIn were predominantly critical towards Atlassian.
Prevent Breach CTO Nicolas Chaillan was among the harshest critics, claiming in his LinkedIn post that Atlassian has “the worst security posture” and that the company’s executives were non-responsive to his alerts on vulnerabilities.
CloudSEK’s Kulshrestha was particularly active on Atlassian Community, the cloud service provider’s forum for user feedback, to vehemently assert the fact that Atlassian is at fault, even blaming the company admin for deleting his comments (which appeared to have been done by a non-employee moderator of the forum). Kulshrestha then posted, “It seems like they silently patched the vulnerability and now they are claiming that there was no vulnerability. That’s why they deleted my comments with screenshots of POC.”.
“We understand that this incident has spurred many of you to look into the availability of your data on similar dark web marketplaces. We want to emphasize that this was an isolated customer incident caused by malware on the customer’s computer,” Hranj’s explainer note continued.
Mike Rathwell, a third-party consultant, replied to the latest explainer that he has been trying to clear the air since the CloudSEK blog post.
“I have been pestered a lot about this since this came out. I wrote a rather long explanation to be shared citing corroborating evidence that the OP was blaming their hack on someone/something else whilst apparently trying to get business to confirm that water is wet and the sky is blue.”
