CloudSEK’s investigation shows that cookies of Atlassian products remain valid for a period of 30 days, even if the password is changed and 2FA is enabled. Hence, threat actors can restore Jira, Confluence, Trello, or BitBucket sessions, using stolen cookies, even if they don’t have access to MFA OTP/ PIN. The cookies, by default, expire when the user logs out, or after 30 days.

Therefore, it is no longer very difficult for threat actors to get their hands on these tokens. With the rise in device compromise campaigns, breaches, and password leaks, cookie theft has become commonplace. And cookies are available for sale and one can simply search for a company, buy their logs, find relevant tokens to gain access to their internal systems.

In the case of Atlassian products, only one JSON web token (JWT) is required to hijack a session i.e. cloud.session.token. Atlassian JWT (JSON Web Token) tokens have the email address embedded in the cookie. Hence, it is easy to determine which user the cookie belongs to.

Mitigation Measures

• Encourage employees to log out of sensitive applications on regular basis

• Set a shorter idle session for Atlassian products via the admin.atlassian.com under Security → Authentication policies section until a fix is released by atlassian.

• Implement idle-session timeout to enforce re-logins

• Monitor cyber crime forums for latest tactics used by threat actors.

• Check if your organization’s data is available for sale on dark web marketplaces