{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bitbucket/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitbucket"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","defense-impairment","bitbucket"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eThis brief focuses on the detection of unauthorized changes to Bitbucket\u0026rsquo;s global SSH settings. While the specific actor remains unknown, the modification of these settings is a significant security concern. The activity is detected via Bitbucket audit logs. Modification of global SSH settings can allow attackers to gain unauthorized access to repositories, potentially leading to code compromise, data breaches, or further lateral movement within the network. This activity is particularly important for organizations relying on Bitbucket for source code management and secure development workflows. The audit logs are the primary source of information, specifically focusing on events categorized as \u0026lsquo;Global administration\u0026rsquo; with the action \u0026lsquo;SSH settings changed\u0026rsquo;.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Bitbucket account with administrative privileges, possibly through credential compromise or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Bitbucket web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the global SSH settings configuration page within the Bitbucket administration panel.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies global SSH settings, such as adding a new public key or changing authentication requirements.\u003c/li\u003e\n\u003cli\u003eBitbucket logs the \u0026lsquo;SSH settings changed\u0026rsquo; event in the audit logs under the \u0026lsquo;Global administration\u0026rsquo; category.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified SSH settings to clone repositories or push malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses compromised code or data to move laterally within the organization\u0026rsquo;s network, targeting other systems and resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Bitbucket global SSH settings can allow unauthorized access to all repositories within the Bitbucket instance. This can lead to code theft, injection of malicious code, and data breaches. The impact may extend beyond the Bitbucket environment if the compromised code is deployed to production systems or used in other development processes. Organizations using Bitbucket for critical projects are at higher risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unauthorized changes to Bitbucket global SSH settings in the audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u0026ldquo;SSH settings changed\u0026rdquo; in the Bitbucket audit logs to determine the legitimacy of the changes.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all Bitbucket accounts, especially those with administrative privileges, to mitigate credential compromise as an initial access vector.\u003c/li\u003e\n\u003cli\u003eReview Bitbucket\u0026rsquo;s audit log configuration to ensure the \u0026ldquo;Advance\u0026rdquo; log level is enabled to capture the necessary audit events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-01T12:00:00Z","date_published":"2024-11-01T12:00:00Z","id":"/briefs/2024-11-bitbucket-ssh-change/","summary":"An attacker modifies Bitbucket global SSH settings to potentially enable unauthorized access and lateral movement.","title":"Bitbucket Global SSH Settings Changed","url":"https://feed.craftedsignal.io/briefs/2024-11-bitbucket-ssh-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitbucket"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-impairment","attack.t1562.004","bitbucket"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eAttackers may target Bitbucket audit log configurations to reduce or eliminate logging, thereby hindering incident response and forensic investigations. Modifying audit settings is a defense evasion technique that allows malicious actors to operate with less visibility. This activity typically occurs post-compromise. This brief focuses on detecting such modifications. Visibility of audit events requires at least \u0026ldquo;Basic\u0026rdquo; log level configuration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Bitbucket instance, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Bitbucket web interface or uses the Bitbucket API.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the audit log configuration settings within the Bitbucket administration panel.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the audit log settings, such as disabling logging for specific event categories or reducing the log retention period.\u003c/li\u003e\n\u003cli\u003eThe Bitbucket server processes the configuration change request.\u003c/li\u003e\n\u003cli\u003eAudit events related to the configuration change are logged (if auditing is still enabled for such events).\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as creating unauthorized repositories or exfiltrating source code, with reduced risk of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the Bitbucket audit log configuration allows attackers to operate with significantly reduced visibility. This can lead to delayed detection of breaches, prolonged dwell time, and increased data exfiltration. Without proper audit logging, organizations will struggle to identify the scope and impact of a compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Bitbucket Audit Log Configuration Updated\u0026rdquo; Sigma rule to your SIEM to detect changes to audit log configurations (logsource: bitbucket, service: audit).\u003c/li\u003e\n\u003cli\u003eEnsure Bitbucket audit logging is enabled at the \u0026ldquo;Basic\u0026rdquo; level or higher, as lower levels may not capture configuration changes (logsource: bitbucket, service: audit).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of audit log configuration changes to determine if they are authorized (Sigma rule: \u0026ldquo;Bitbucket Audit Log Configuration Updated\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T12:00:00Z","date_published":"2024-10-26T12:00:00Z","id":"/briefs/2024-10-bitbucket-audit-config-mod/","summary":"An attacker may modify the Bitbucket audit log configuration to impair security monitoring and evade detection.","title":"Bitbucket Audit Log Configuration Modified","url":"https://feed.craftedsignal.io/briefs/2024-10-bitbucket-audit-config-mod/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitbucket Server"],"_cs_severities":["medium"],"_cs_tags":["attack.defense-impairment","attack.t1685","bitbucket"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eAttackers can weaken an organization\u0026rsquo;s security posture by disabling or bypassing security controls within Bitbucket. This allows sensitive information, such as API keys, passwords, and other credentials, to be committed to the repository without detection. By adding a repository to the secret scanning exemption list, attackers can effectively disable a key preventative measure, making it easier to introduce and maintain compromised credentials within the codebase. This can lead to unauthorized access, data breaches, and other serious security incidents. This technique allows attackers to impair defenses, avoiding detection of secrets being committed to the repository.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Bitbucket account with repository administration privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the repository settings within Bitbucket.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the secret scanning configuration for the repository.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the option to add the repository to the exemption list for secret scanning.\u003c/li\u003e\n\u003cli\u003eThe attacker adds the repository to the exemption list, effectively disabling secret scanning for that repository.\u003c/li\u003e\n\u003cli\u003eThe attacker commits sensitive information (secrets, credentials) to the now-exempt repository.\u003c/li\u003e\n\u003cli\u003eThe secrets are committed without triggering secret scanning alerts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the committed secrets to gain unauthorized access to other systems or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising secrets within a Bitbucket repository can lead to a variety of negative consequences, including unauthorized access to sensitive data, compromised infrastructure, and data breaches. While the exact number of affected organizations is unknown, the potential impact is significant for any organization using Bitbucket to store code and manage secrets. Successful exploitation allows attackers to move laterally within the network and escalate privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Bitbucket Secret Scanning Exempt Repository Added\u0026rdquo; to your SIEM to detect when a repository is added to the secret scanning exemption list (logsource: bitbucket).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of repositories being added to the secret scanning exemption list to determine if the change was authorized.\u003c/li\u003e\n\u003cli\u003eEnsure that appropriate access controls are in place to prevent unauthorized users from modifying repository settings.\u003c/li\u003e\n\u003cli\u003eReview Bitbucket audit logs regularly to identify suspicious activity related to secret scanning configuration changes (logsource: bitbucket).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-bitbucket-secret-scanning-exempt/","summary":"An attacker may attempt to disable or bypass secret scanning on a Bitbucket repository to avoid detection of committed secrets, potentially leading to credential compromise and subsequent unauthorized access.","title":"Bitbucket Repository Exempted from Secret Scanning","url":"https://feed.craftedsignal.io/briefs/2024-04-bitbucket-secret-scanning-exempt/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitbucket"],"_cs_severities":["medium"],"_cs_tags":["bitbucket","authentication","brute-force","credential-access","initial-access"],"_cs_type":"advisory","_cs_vendors":["Atlassian"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting user login failures within Bitbucket environments. Monitoring failed login attempts is crucial as it can indicate various malicious activities, including credential stuffing, brute-force attacks, or attempts to gain unauthorized initial access. The audit logs in Bitbucket record details of these authentication failures, providing valuable data for security monitoring. The rule provided detects these events and can be used for correlation with other security events based on the \u0026ldquo;author.name\u0026rdquo; field for enhanced accuracy and context. Requires \u0026ldquo;Advance\u0026rdquo; log level to receive audit events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access Attempt:\u003c/strong\u003e An attacker attempts to gain initial access to a Bitbucket account using a compromised or guessed username.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Guessing:\u003c/strong\u003e The attacker attempts to guess the user\u0026rsquo;s password through manual attempts or automated tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Failure:\u003c/strong\u003e Bitbucket records a \u0026ldquo;User login failed\u0026rdquo; event due to incorrect credentials. The \u003ccode\u003eauditType.category\u003c/code\u003e is Authentication, and \u003ccode\u003eauditType.action\u003c/code\u003e is User login failed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMultiple Failed Attempts:\u003c/strong\u003e The attacker repeats the login attempts with different password variations or using a list of compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Lockout (Optional):\u003c/strong\u003e Depending on Bitbucket\u0026rsquo;s configuration, repeated failed login attempts may trigger an account lockout.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Login (Potential):\u003c/strong\u003e After multiple attempts, the attacker may eventually guess the correct password or use a valid compromised credential.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Persistence (If Successful):\u003c/strong\u003e If successful, the attacker could escalate privileges, establish persistence, or perform other malicious actions within the Bitbucket environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive code repositories, intellectual property theft, and potential supply chain compromise. Attackers could inject malicious code, modify existing code, or exfiltrate sensitive data. Detecting these failed login attempts early can prevent significant damage. Although the number of victims cannot be determined with this specific detection, a successful attack can have far-reaching impacts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Bitbucket User Login Failure\u0026rdquo; to your SIEM to detect suspicious authentication failures (logsource: bitbucket, service: audit). Tune for your environment by correlating on the author.name field.\u003c/li\u003e\n\u003cli\u003eInvestigate the source IP addresses associated with the failed login attempts to identify potential malicious actors.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to significantly reduce the risk of successful credential-based attacks.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual activity following any successful login after a series of failures.\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies to reduce the effectiveness of brute-force attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-03-08T15:00:00Z","date_published":"2024-03-08T15:00:00Z","id":"/briefs/2024-03-bitbucket-login-fail/","summary":"Detection of Bitbucket user login failures, potentially indicating credential access attempts, initial access attempts, or other malicious activity.","title":"Bitbucket User Login Failure Detection","url":"https://feed.craftedsignal.io/briefs/2024-03-bitbucket-login-fail/"}],"language":"en","title":"CraftedSignal Threat Feed — Bitbucket","version":"https://jsonfeed.org/version/1.1"}