Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,462,647
Community Members
 
Community Events
176
Community Groups

Report Malware Abuse

I WILL post this over and over again until your staff member decide to handle the issue. Please pay more attention to your corporation social responsibility instead of deleting reports and do nothing.

The following bucket is used to host and distribute malware.

https://bitbucket.org/trustedrootdev/file/downloads/

All the files hosted in the bucked are scrambled by just reversing the byte orders. The following pseudocode unscrambles the files and retrieves the malicious files.

// Byte array of a raw file.let data_in = readFromFile('downloaded_file_path');

// Byte array holding the unscrambled file.let data_out = Array(data_in.length);

for(let i = 0 ; i < data_in.length ; i++)
{
  data_out[i] = data_in[data_in.length - i - i];
}

writeToFile('/path/to/malware.dll', data_out);

Entry point executable found in the wild:
https://www.virustotal.com/gui/file/64b516f51f36316f3c1d3e3a1a3abc510d5bff7bc56e28ade5e418d1cbfb1dc2/

Scrambled file downloaded by mentioned executable in the reported bucket:
https://www.virustotal.com/gui/file/888b0b22eeb98965c95529291e07a91193736a713279af346bf446892b7eec97/

Unscrambled actual malicious payload:
https://www.virustotal.com/gui/file/7d9fbf3eb00d964d69b72ce86c01e6082ee45ee8fbb820a12ea36aa12ea96323/

All files in the reported bucked are scrambled in the same way and are malicious. Many of the files have over 100k hits, with over 1M potential infections combined based on the public stats on the repository page. The crooks is still using the bucket to deliver malware and removal should be performed ASAP.

Also, the issue is reported here as your company provides absolutely no way to notify you. The lack of malware/abuse reporting channel has been already prompted in the following report ignorantly closed by your staff.
https://jira.atlassian.com/browse/BCLOUD-8658

Similar massive abuses have also been reported in 2020 by multiple cybersecurity vendors:
https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware

5 answers

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

2 votes
Answer accepted
Andy Heinzer Atlassian Team Jan 03, 2022

Hi @Lilavaz atheropids 

Thanks for reporting this repo.  My apologies for the difficulties is making such a report to us.  Your original post was incorrectly flagged as spam by our automated content moderation system.

In the future, you can report such sites either to our support team, in which case https://support.atlassian.com/contact is the page we suggest.  Admittedly though, if you do not have a paid support contract with us, going to that page will automatically redirect you here to Community.  You can post these requests here to Community if you like.

Alternatively, anyone can also reach out to abuse@atlassian.com with details of any Atlassian site that is violating our terms of service, so that our anti-abuse team can investigate further.

I am happy to report that this site has been taken down.

Thanks again for letting us know.

Andy

Thank you for resolving the issue. Also thank you for mentioning about the contact email that I can contact with in the future.

2 votes
Ben Atlassian Team Oct 30, 2022

Hi everyone,

I thought I would let you all know that I have created a documentation page specifically for this topic - you can view this at the below link:
https://confluence.atlassian.com/bbkb/report-malware-hosted-on-bitbucket-cloud-1167844183.html

Cheers!

- Ben (Bitbucket Cloud Support)

1 vote

Hi @Lilavaz atheropids,

Thank you for your report. I have created a ticket with Bitbucket Cloud support team to look into this, you should have received an email with a link to the support ticket.

Your previous posts were removed automatically due to our spam filters, I'll bring up this issue to my team.

Kind regards,
Theodora

0 votes

Hmm, ok, so

"I WILL post this over and over again until your staff member decide to handle the issue. Please pay more attention to your corporation social responsibility instead of deleting reports and do nothing."

I note that your previous reports are being removed because they look malicious.  It's nothing to do with the staff.

And also, this isn't correct: "Also, the issue is reported here as your company provides absolutely no way to notify you. "

As noted in the issue you've referred to

See https://www.atlassian.com/trust/security 

See  https://jira.atlassian.com for the tracking of problems raised  

You can report anything to Atlassian via https://support.atlassian.com/contact as well and have been able to do so (as noted in the trust and security docs) for several years.  Atlassian doesn't just use jira.atlassian.com for their tracking, this route tries to guide your question/report/request to the right place by asking you some questions.  Sometimes it will land you in "create issue" in Jira.

0 votes

Wow, good catch. 

Do you know how to handle github like this activities?

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

TAGS

Atlassian Community Events