It was reported today (June 18th, 2024) that a new Zero-Day RCE Exploit for Atlassian Jira has been put on sale on the dark web.
A Zero-Day RCE exploit is a cyberattack vector that takes advantage of an unknown or unaddressed security flaw in computer software, hardware or firmware. "Zero day" refers to the fact that the software or device vendor has zero days to fix the flaw because malicious actors can already use it to access vulnerable systems. More info on IBM website
The exploit announced that target’s Atlassian’s Jira is alleged to work on the latest version of Jira Desktop without requiring any login credentials. Additionally, it is compatible with Okta Single-Sign-On (SSO) making it even more attractive to bad actors who might want to buy the exploit and use it.
Our own security industry contacts have anecdotally mentioned to us that the amount that the exploit is being shopped around for (in crypto currency) is an unusually high amount of $15 million USD equivalent.
At the time of writing this post (and we will monitor and update) we are not sure if this exploit is listed in the latest Atlassian Security Bulletin (click here), but some CVE’s are listed that look similar.
By its nature, this exploit looks very dangerous for those who are impacted. The usual strategy of multiple layers of digital defense apply to those exposed and it’s strongly recommended that security professionals and Jira Admins take a moment to review and double check your existing data protection and resilience controls such as security policies, network firewalls and infrastructure patches and updates.
"In Cloud, the responsibility for protecting your data is shared between you, Atlassian, and the companies who build and operate any Marketplace apps you use. In this whitepaper, learn about how we’ve optimized the Atlassian Platform with data protection capabilities in each layer to provide maximum protection, and how we’re empowering Marketplace partners to protect your data when you install apps."
Atlassian Cloud Protection Whitepaper
As always, we recommend that the data and configuration of your site is further protected by providing a logical ‘air gap’ between your business applications (in this case Jira) and your data backups in order to allow a compromised system to be completely restored.
As it is appears to be limited to on-premise Atlassian software only, cloud customers can breathe a sigh of relief this time. But as I’m writing this, I am thinking back to the very informative workshop that I had with expert security advisors (Antonio and Gabriele) where two scary topics topics were explored;
This incident is yet another reminder that information security and resilience needs to be at the front of mind no matter where your information systems reside as there are numerous bad actors out there making a flourishing career out of finding, exposing and selling security flaws.
Disclaimer and References
This is a opinion piece article only and information provided is based on the following sources;
https://confluence.atlassian.com/security/security-bulletin-june-18-2024-1409286211.html
https://dailydarkweb.net/zero-day-rce-exploit-for-atlassian-jira-for-sale/
https://www.ibm.com/topics/zero-da
https://x.com/MonThreat/status/1802612486144749798
https://www.ibm.com/topics/zero-day