https://feed.craftedsignal.io/tags/bitbucket/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 01 Nov 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-11-bitbucket-ssh-change/Fri, 01 Nov 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-11-bitbucket-ssh-change/An attacker modifies Bitbucket global SSH settings to potentially enable unauthorized access and lateral movement.This brief focuses on the detection of unauthorized changes to Bitbucket’s global SSH settings. While the specific actor remains unknown, the modification of these settings is a significant security concern. The activity is detected via Bitbucket audit logs. Modification of global SSH settings can allow attackers to gain unauthorized access to repositories, potentially leading to code compromise, data breaches, or further lateral movement within the network. This activity is particularly important for organizations relying on Bitbucket for source code management and secure development workflows. The audit logs are the primary source of information, specifically focusing on events categorized as ‘Global administration’ with the action ‘SSH settings changed’.

Attack Chain

1. The attacker gains initial access to a Bitbucket account with administrative privileges, possibly through credential compromise or exploiting a vulnerability.
2. The attacker authenticates to the Bitbucket web interface.
3. The attacker navigates to the global SSH settings configuration page within the Bitbucket administration panel.
4. The attacker modifies global SSH settings, such as adding a new public key or changing authentication requirements.
5. Bitbucket logs the ‘SSH settings changed’ event in the audit logs under the ‘Global administration’ category.
6. The attacker leverages the modified SSH settings to clone repositories or push malicious code.
7. The attacker uses compromised code or data to move laterally within the organization’s network, targeting other systems and resources.

Impact

Successful modification of Bitbucket global SSH settings can allow unauthorized access to all repositories within the Bitbucket instance. This can lead to code theft, injection of malicious code, and data breaches. The impact may extend beyond the Bitbucket environment if the compromised code is deployed to production systems or used in other development processes. Organizations using Bitbucket for critical projects are at higher risk.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect unauthorized changes to Bitbucket global SSH settings in the audit logs.
• Investigate any detected instances of “SSH settings changed” in the Bitbucket audit logs to determine the legitimacy of the changes.
• Enforce multi-factor authentication (MFA) for all Bitbucket accounts, especially those with administrative privileges, to mitigate credential compromise as an initial access vector.
• Review Bitbucket’s audit log configuration to ensure the “Advance” log level is enabled to capture the necessary audit events.

]]>mediumadvisorylateral-movementdefense-impairmentbitbuckethttps://feed.craftedsignal.io/briefs/2024-10-bitbucket-audit-config-mod/Sat, 26 Oct 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-10-bitbucket-audit-config-mod/An attacker may modify the Bitbucket audit log configuration to impair security monitoring and evade detection.Attackers may target Bitbucket audit log configurations to reduce or eliminate logging, thereby hindering incident response and forensic investigations. Modifying audit settings is a defense evasion technique that allows malicious actors to operate with less visibility. This activity typically occurs post-compromise. This brief focuses on detecting such modifications. Visibility of audit events requires at least “Basic” log level configuration.

Attack Chain

1. An attacker gains unauthorized access to a Bitbucket instance, potentially through compromised credentials or exploiting a vulnerability.
2. The attacker authenticates to the Bitbucket web interface or uses the Bitbucket API.
3. The attacker navigates to the audit log configuration settings within the Bitbucket administration panel.
4. The attacker modifies the audit log settings, such as disabling logging for specific event categories or reducing the log retention period.
5. The Bitbucket server processes the configuration change request.
6. Audit events related to the configuration change are logged (if auditing is still enabled for such events).
7. The attacker performs malicious activities, such as creating unauthorized repositories or exfiltrating source code, with reduced risk of detection.

Impact

Successful modification of the Bitbucket audit log configuration allows attackers to operate with significantly reduced visibility. This can lead to delayed detection of breaches, prolonged dwell time, and increased data exfiltration. Without proper audit logging, organizations will struggle to identify the scope and impact of a compromise.

Recommendation

• Deploy the “Bitbucket Audit Log Configuration Updated” Sigma rule to your SIEM to detect changes to audit log configurations (logsource: bitbucket, service: audit).
• Ensure Bitbucket audit logging is enabled at the “Basic” level or higher, as lower levels may not capture configuration changes (logsource: bitbucket, service: audit).
• Investigate any detected instances of audit log configuration changes to determine if they are authorized (Sigma rule: “Bitbucket Audit Log Configuration Updated”).

]]>mediumadvisoryattack.defense-impairmentattack.t1562.004bitbuckethttps://feed.craftedsignal.io/briefs/2024-04-bitbucket-secret-scanning-exempt/Mon, 29 Apr 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-04-bitbucket-secret-scanning-exempt/An attacker may attempt to disable or bypass secret scanning on a Bitbucket repository to avoid detection of committed secrets, potentially leading to credential compromise and subsequent unauthorized access.Attackers can weaken an organization’s security posture by disabling or bypassing security controls within Bitbucket. This allows sensitive information, such as API keys, passwords, and other credentials, to be committed to the repository without detection. By adding a repository to the secret scanning exemption list, attackers can effectively disable a key preventative measure, making it easier to introduce and maintain compromised credentials within the codebase. This can lead to unauthorized access, data breaches, and other serious security incidents. This technique allows attackers to impair defenses, avoiding detection of secrets being committed to the repository.

Attack Chain

1. An attacker gains unauthorized access to a Bitbucket account with repository administration privileges.
2. The attacker navigates to the repository settings within Bitbucket.
3. The attacker accesses the secret scanning configuration for the repository.
4. The attacker identifies the option to add the repository to the exemption list for secret scanning.
5. The attacker adds the repository to the exemption list, effectively disabling secret scanning for that repository.
6. The attacker commits sensitive information (secrets, credentials) to the now-exempt repository.
7. The secrets are committed without triggering secret scanning alerts.
8. The attacker uses the committed secrets to gain unauthorized access to other systems or data.

Impact

Compromising secrets within a Bitbucket repository can lead to a variety of negative consequences, including unauthorized access to sensitive data, compromised infrastructure, and data breaches. While the exact number of affected organizations is unknown, the potential impact is significant for any organization using Bitbucket to store code and manage secrets. Successful exploitation allows attackers to move laterally within the network and escalate privileges.

Recommendation

• Deploy the Sigma rule “Bitbucket Secret Scanning Exempt Repository Added” to your SIEM to detect when a repository is added to the secret scanning exemption list (logsource: bitbucket).
• Investigate any detected instances of repositories being added to the secret scanning exemption list to determine if the change was authorized.
• Ensure that appropriate access controls are in place to prevent unauthorized users from modifying repository settings.
• Review Bitbucket audit logs regularly to identify suspicious activity related to secret scanning configuration changes (logsource: bitbucket).

]]>mediumadvisoryattack.defense-impairmentattack.t1685bitbuckethttps://feed.craftedsignal.io/briefs/2024-03-bitbucket-login-fail/Fri, 08 Mar 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-03-bitbucket-login-fail/Detection of Bitbucket user login failures, potentially indicating credential access attempts, initial access attempts, or other malicious activity.This threat brief focuses on detecting user login failures within Bitbucket environments. Monitoring failed login attempts is crucial as it can indicate various malicious activities, including credential stuffing, brute-force attacks, or attempts to gain unauthorized initial access. The audit logs in Bitbucket record details of these authentication failures, providing valuable data for security monitoring. The rule provided detects these events and can be used for correlation with other security events based on the “author.name” field for enhanced accuracy and context. Requires “Advance” log level to receive audit events.

Attack Chain

1. Initial Access Attempt: An attacker attempts to gain initial access to a Bitbucket account using a compromised or guessed username.
2. Credential Guessing: The attacker attempts to guess the user’s password through manual attempts or automated tools.
3. Authentication Failure: Bitbucket records a “User login failed” event due to incorrect credentials. The auditType.category is Authentication, and auditType.action is User login failed.
4. Multiple Failed Attempts: The attacker repeats the login attempts with different password variations or using a list of compromised credentials.
5. Account Lockout (Optional): Depending on Bitbucket’s configuration, repeated failed login attempts may trigger an account lockout.
6. Successful Login (Potential): After multiple attempts, the attacker may eventually guess the correct password or use a valid compromised credential.
7. Privilege Escalation/Persistence (If Successful): If successful, the attacker could escalate privileges, establish persistence, or perform other malicious actions within the Bitbucket environment.

Impact

Successful exploitation can lead to unauthorized access to sensitive code repositories, intellectual property theft, and potential supply chain compromise. Attackers could inject malicious code, modify existing code, or exfiltrate sensitive data. Detecting these failed login attempts early can prevent significant damage. Although the number of victims cannot be determined with this specific detection, a successful attack can have far-reaching impacts.

Recommendation

• Deploy the Sigma rule “Bitbucket User Login Failure” to your SIEM to detect suspicious authentication failures (logsource: bitbucket, service: audit). Tune for your environment by correlating on the author.name field.
• Investigate the source IP addresses associated with the failed login attempts to identify potential malicious actors.
• Implement multi-factor authentication (MFA) to significantly reduce the risk of successful credential-based attacks.
• Monitor for unusual activity following any successful login after a series of failures.
• Enforce strong password policies to reduce the effectiveness of brute-force attacks.

]]>mediumadvisorybitbucketauthenticationbrute-forcecredential-accessinitial-access