(Photo credits: Atlassian, 2016)
One-sentence summary:
A misconfiguration by Atlassian allowed SiegedSec to obtain employee credentials and pivot to Envoy, stealing Atlassian floor plans and employee data of allegedly 13,000 employees.
Who was involved?
Atlassian, Envoy, and SiegedSec.
What was the timeline?
February 15: The data leak was posted online by SiegedSec (SOCRadar, 2023). Confirmation was quickly made by Atlassian (Abrams, 2023).
February 17: Envoy says Atlassian was breached, pivoting into their network (Abrams, 2023).
What occurred?
Initially, Atlassian accidentally pushed a user’s credentials to a public repo, allowing SiegedSec to harvest the credentials and gain initial access into Atlassian (Abrams, 2023, para. 20). From there, SiegedSec pivoted into Atlassian’s partner, Envoy. Floor plans and employee data for allegedly 13,000 employees were exfiltrated (SOCRadar, 2023). Both parties allege the incident was contained in their own environment and other “customer’s data” was not accessed (Abrams, 2023). Atlassian promptly initiated incident response and disabled the compromised account, effectively containing the incident (Abrams, 2023, para. 23).
Estimated costs:
Potential incident response costs. Outside IR costs are not clear.
Involved laws:
TBA.
Root cause:
Misconfiguration: public read access of credentials (Abrams, 2023, para. 20).
Lessons learned:
Enact and enforce a doer & checker validation system in DevOps workflows to prevent mistakes. Configure DLP in public repositories to automatically quarantine sensitive information (Polymer, 2023). Audit repo pushes and commits for sensitive information. Review and scan repos on a continual basis for misconfiguration and sensitive information.
Sources:
Abrams, L. (2023, February 17). Atlassian data leak caused by stolen employee credentials. BleepingComputer. Retrieved February 19, 2023, from https://www.bleepingcomputer.com/news/security/atlassian-data-leak-caused-by-stolen-employee-credentials/
Atlassian. (2016, September 1). File:Jira-software rgb blue(1).svg. Wikimedia Commons. https://commons.wikimedia.org/wiki/File:Jira-software_rgb_blue%281%29.svg
Polymer. (2023, February 4). Data Loss Prevention for GitHub – Polymer DLP. Retrieved February 19, 2023, from https://www.polymerhq.io/github-dlp/
SOCRadar. (2023, February 17). Atlassian Hacked: SiegedSec Hacker Group Leaks Company’s Data. SOCRadar® Cyber Intelligence Inc. Retrieved February 19, 2023, from https://socradar.io/atlassian-hacked-siegedsec-hacker-group-leaks-companys-data/