Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Report Malware Abuse

I WILL post this over and over again until your staff member decide to handle the issue. Please pay more attention to your corporation social responsibility instead of deleting reports and do nothing.

The following bucket is used to host and distribute malware.

https://bitbucket.org/trustedrootdev/file/downloads/

All the files hosted in the bucked are scrambled by just reversing the byte orders. The following pseudocode unscrambles the files and retrieves the malicious files.

// Byte array of a raw file.let data_in = readFromFile('downloaded_file_path');

// Byte array holding the unscrambled file.let data_out = Array(data_in.length);

for(let i = 0 ; i < data_in.length ; i++)
{
  data_out[i] = data_in[data_in.length - i - i];
}

writeToFile('/path/to/malware.dll', data_out);

Entry point executable found in the wild:
https://www.virustotal.com/gui/file/64b516f51f36316f3c1d3e3a1a3abc510d5bff7bc56e28ade5e418d1cbfb1dc2/

Scrambled file downloaded by mentioned executable in the reported bucket:
https://www.virustotal.com/gui/file/888b0b22eeb98965c95529291e07a91193736a713279af346bf446892b7eec97/

Unscrambled actual malicious payload:
https://www.virustotal.com/gui/file/7d9fbf3eb00d964d69b72ce86c01e6082ee45ee8fbb820a12ea36aa12ea96323/

All files in the reported bucked are scrambled in the same way and are malicious. Many of the files have over 100k hits, with over 1M potential infections combined based on the public stats on the repository page. The crooks is still using the bucket to deliver malware and removal should be performed ASAP.

Also, the issue is reported here as your company provides absolutely no way to notify you. The lack of malware/abuse reporting channel has been already prompted in the following report ignorantly closed by your staff.
https://jira.atlassian.com/browse/BCLOUD-8658

Similar massive abuses have also been reported in 2020 by multiple cybersecurity vendors:
https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware

4 answers

1 accepted

2 votes
Answer accepted
Andy Heinzer Atlassian Team Jan 03, 2022

Hi @Lilavaz atheropids 

Thanks for reporting this repo.  My apologies for the difficulties is making such a report to us.  Your original post was incorrectly flagged as spam by our automated content moderation system.

In the future, you can report such sites either to our support team, in which case https://support.atlassian.com/contact is the page we suggest.  Admittedly though, if you do not have a paid support contract with us, going to that page will automatically redirect you here to Community.  You can post these requests here to Community if you like.

Alternatively, anyone can also reach out to abuse@atlassian.com with details of any Atlassian site that is violating our terms of service, so that our anti-abuse team can investigate further.

I am happy to report that this site has been taken down.

Thanks again for letting us know.

Andy

Thank you for resolving the issue. Also thank you for mentioning about the contact email that I can contact with in the future.

1 vote

Hi @Lilavaz atheropids,

Thank you for your report. I have created a ticket with Bitbucket Cloud support team to look into this, you should have received an email with a link to the support ticket.

Your previous posts were removed automatically due to our spam filters, I'll bring up this issue to my team.

Kind regards,
Theodora

0 votes

Hmm, ok, so

"I WILL post this over and over again until your staff member decide to handle the issue. Please pay more attention to your corporation social responsibility instead of deleting reports and do nothing."

I note that your previous reports are being removed because they look malicious.  It's nothing to do with the staff.

And also, this isn't correct: "Also, the issue is reported here as your company provides absolutely no way to notify you. "

As noted in the issue you've referred to

See https://www.atlassian.com/trust/security 

See  https://jira.atlassian.com for the tracking of problems raised  

You can report anything to Atlassian via https://support.atlassian.com/contact as well and have been able to do so (as noted in the trust and security docs) for several years.  Atlassian doesn't just use jira.atlassian.com for their tracking, this route tries to guide your question/report/request to the right place by asking you some questions.  Sometimes it will land you in "create issue" in Jira.

0 votes

Wow, good catch. 

Do you know how to handle github like this activities?

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

📣 Calling Bitbucket Data Center customers to participate in research

Hi everyone, Are you Bitbucket DC customer? If so, we'd love to talk to you! Our team wants to dive deep to understand your long-term plans regarding Bitbucket DC and Atlassian Cloud. Do you plan...

233 views 2 5
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you