Description

It has been reported that threat actors are exploiting stolen session cookies to gain access to Atlassian products such as Jira, Confluence, Trello, BitBucket etc. As per reports, session cookies of Atlassian products remain valid for a period of 30 days unless the user logs out, even if the password is changed and two-factor authentication is enabled.

Further, there are reports that session cookies stolen by credential stealer malware such as Vidar, Redline, Racoon etc. are available on dark-web forums, which are being used to obtain JSON web token (JWT) required to hijack a session of Atlassian products such as Jira. Atlassian JWT tokens contains the email address embedded in the cookie, which allows identification of the associated users. It is suspected that a number of organizations may be affected or at risk of being compromised due to the abuse of stolen cookies/tokens to access Atlassian products.

The following measures are recommended to mitigate the risk of unauthorized access to Atlassian products.

Organizations should ensure the usage of trusted and hardened systems for application and network access.

 

Logout of sensitive applications on a regular basis.

 

Set a shorter idle session for Atlassian products via admin.atlassian.com under the Security → Authentication policies section.

 

Implement idle-session timeout to enforce re-logins.

 

Keep up-to-date patches and fixes on the operating system and application software

 

Keep up-to-date Antivirus and Antispyware signatures at the desktop and gateway level

 

Review the access and application privileges of applications

References