Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Report Malware Abuse

Lilavaz atheropids
Lilavaz atheropids January 2, 2022

I WILL post this over and over again until your staff member decide to handle the issue. Please pay more attention to your corporation social responsibility instead of deleting reports and do nothing.

The following bucket is used to host and distribute malware.

https://bitbucket.org/trustedrootdev/file/downloads/

All the files hosted in the bucked are scrambled by just reversing the byte orders. The following pseudocode unscrambles the files and retrieves the malicious files.

// Byte array of a raw file.let data_in = readFromFile('downloaded_file_path');

// Byte array holding the unscrambled file.let data_out = Array(data_in.length);

for(let i = 0 ; i < data_in.length ; i++)
{
  data_out[i] = data_in[data_in.length - i - i];
}

writeToFile('/path/to/malware.dll', data_out);

Entry point executable found in the wild:
https://www.virustotal.com/gui/file/64b516f51f36316f3c1d3e3a1a3abc510d5bff7bc56e28ade5e418d1cbfb1dc2/

Scrambled file downloaded by mentioned executable in the reported bucket:
https://www.virustotal.com/gui/file/888b0b22eeb98965c95529291e07a91193736a713279af346bf446892b7eec97/

Unscrambled actual malicious payload:
https://www.virustotal.com/gui/file/7d9fbf3eb00d964d69b72ce86c01e6082ee45ee8fbb820a12ea36aa12ea96323/

All files in the reported bucked are scrambled in the same way and are malicious. Many of the files have over 100k hits, with over 1M potential infections combined based on the public stats on the repository page. The crooks is still using the bucket to deliver malware and removal should be performed ASAP.

Also, the issue is reported here as your company provides absolutely no way to notify you. The lack of malware/abuse reporting channel has been already prompted in the following report ignorantly closed by your staff.
https://jira.atlassian.com/browse/BCLOUD-8658

Similar massive abuses have also been reported in 2020 by multiple cybersecurity vendors:
https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware

Watch
Like Be the first to like this
999 views

5 answers

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

2 votes
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 3, 2022

Hi @Lilavaz atheropids 

Thanks for reporting this repo.  My apologies for the difficulties is making such a report to us.  Your original post was incorrectly flagged as spam by our automated content moderation system.

In the future, you can report such sites either to our support team, in which case https://support.atlassian.com/contact is the page we suggest.  Admittedly though, if you do not have a paid support contract with us, going to that page will automatically redirect you here to Community.  You can post these requests here to Community if you like.

Alternatively, anyone can also reach out to abuse@atlassian.com with details of any Atlassian site that is violating our terms of service, so that our anti-abuse team can investigate further.

I am happy to report that this site has been taken down.

Thanks again for letting us know.

Andy

View More Comments
Lilavaz atheropids
Lilavaz atheropids January 3, 2022

Thank you for resolving the issue. Also thank you for mentioning about the contact email that I can contact with in the future.

Like
Reply
2 votes
Ben
Ben
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 30, 2022

Hi everyone,

I thought I would let you all know that I have created a documentation page specifically for this topic - you can view this at the below link:
https://confluence.atlassian.com/bbkb/report-malware-hosted-on-bitbucket-cloud-1167844183.html

Cheers!

- Ben (Bitbucket Cloud Support)

Reply
1 vote
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 3, 2022

Hi @Lilavaz atheropids,

Thank you for your report. I have created a ticket with Bitbucket Cloud support team to look into this, you should have received an email with a link to the support ticket.

Your previous posts were removed automatically due to our spam filters, I'll bring up this issue to my team.

Kind regards,
Theodora

Reply
0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 2, 2022

Hmm, ok, so

"I WILL post this over and over again until your staff member decide to handle the issue. Please pay more attention to your corporation social responsibility instead of deleting reports and do nothing."

I note that your previous reports are being removed because they look malicious.  It's nothing to do with the staff.

And also, this isn't correct: "Also, the issue is reported here as your company provides absolutely no way to notify you. "

As noted in the issue you've referred to

See https://www.atlassian.com/trust/security 

See  https://jira.atlassian.com for the tracking of problems raised  

You can report anything to Atlassian via https://support.atlassian.com/contact as well and have been able to do so (as noted in the trust and security docs) for several years.  Atlassian doesn't just use jira.atlassian.com for their tracking, this route tries to guide your question/report/request to the right place by asking you some questions.  Sometimes it will land you in "create issue" in Jira.

Reply
0 votes
Gonchik Tsymzhitov
Gonchik Tsymzhitov
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 2, 2022

Wow, good catch. 

Do you know how to handle github like this activities?

Reply

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events