Atlassian's Response to the LAPSUS$ Okta Incident

@Dan Hranj considering that the screenshot with the ticket clearly has ".atlassian.net" in the URL (see https://twitter.com/vxunderground/status/1506114493067186183/photo/2) I think it's a bit misleading to brand this an "internal Jira instance", or at least requires rephrasing, as it seems to imply that the instance is an on-premises one i.e. Server/DC not one in Atlassian Cloud.

https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

There are some references in this article about LAPSUS$ using Jira and Confluence as a target in the companies.

@Leandro Rezende - Once an attacker gains a foothold in an environment they will naturally look for ways to move laterally, escalate privileges, and steal data and Atlassian products may be a target.

All non-cloud customers should strive to apply security patches to internal server and data center products in a timely manner.

We also encourage all customers to use strong passwords with two-factor authentication and restrict access to data with the principle of least privilege in mind.

Considering the fact that in this case the attacker allegedly could reset passwords and 2FA this last encouragement is really moot, since it would be the password and 2FA on OKTA side – both for Atlassian Cloud instances and Server/DC with SAML SSO app.

Very important to have 2FA as a token (some Authenticator app, not message) with controls of trusted devices.