CybserSecurity News

Tag: Jira

  • The Trusted Trap: How Hackers are Weaponizing GitHub and Jira Notifications to Bypass Filters

    A routine missive from a familiar service has long since ceased to be a hallmark of security. Specialists from Cisco Talos have identified a nascent surge in cyber offensives wherein adversaries exploit the legitimate notification frameworks of GitHub and Jira to disseminate phishing attempts and spam with minimal interference. From an external perspective, these communications manifest as standard alerts from reputable platforms, thereby engendering less suspicion and attaining a higher rate of successful delivery to their intended recipients.

    According to Talos, perpetrators embed deceptive lures directly into the content of automated notifications. Within the GitHub ecosystem, this stratagem revolves around code commits. Attackers forge repositories and infuse the commit descriptions with fraudulent invoices, counterfeit “technical support” prompts, or other data-exfiltration ruses. Once a commit is dispatched, GitHub’s own infrastructure broadcasts the notification. Such correspondence effortlessly satisfies standard authentication protocols—including SPF, DKIM, and DMARC—rendering email filters far less likely to categorize the message as a threat.

    Talos reports that during a five-day observation window, 1.2% of all traffic originating from noreply@github.com contained the keyword “invoice” within the subject line. This activity peaked on February 17, 2026, when the proportion of such deceptive emails escalated to approximately 2.89% of the daily sample.

    With Jira, the methodology diverges. While the platform itself does not permit the alteration of email templates, it allows for the population of project and invitation fields. Adversaries establish projects within Jira Service Management, inserting misleading titles and introductory prose before broadcasting invitations to targeted addresses. Consequently, Atlassian dispatches a branded email where the malicious lure is seamlessly integrated into a trusted template. This technique is particularly hazardous within corporate environments, where Jira notifications are habitually perceived as internal, utilitarian communications.

    Cisco Talos contends that the primary issue lies not in a vulnerability of the platforms themselves, but in the inherent trust afforded to their infrastructure. Criminals utilize the esteemed reputation of SaaS providers as a shroud, circumventing defenses calibrated to verify domain authority and technical authenticity. The authors of the report advocate that organizations scrutinize not merely the sender, but the functional context within the service. This involves analyzing GitHub and Atlassian logs via API, monitoring for anomalous invitations or the creation of dubious projects, and subjecting notifications with atypical content to rigorous secondary verification.

  • AtlasReaper: reconnaissance of Confluence and Jira

    AtlasReaper

    AtlasReaper is a command-line tool developed for offensive security purposes, primarily focused on a reconnaissance of Confluence and Jira. It also provides various features that can be helpful for tasks such as credential farming and social engineering. The tool is written in C#.

    Blog post: Sowing Chaos and Reaping Rewards in Confluence and Jira

    Usage

    AtlasReaper uses commands, subcommands, and options. The format for executing commands is as follows:

    .\AtlasReaper.exe [command] [subcommand] [options]

    Replace [command], [subcommand], and [options] with the appropriate values based on the action you want to perform. For more information about each command or subcommand, use the -h or –help option.

    Below is a list of available commands and subcommands:

    Commands

    Each command has subcommands for interacting with the specific product.

    • confluence
    • jira

    Subcommands

    Confluence

    • confluence attach – Attach a file to a page.
    • confluence download – Download an attachment.
    • confluence embed – Embed a 1×1 pixel image to perform farming attacks.
    • confluence link – Add a link to a page.
    • confluence listattachments – List attachments.
    • confluence listpages – List pages in Confluence.
    • confluence listspaces – List spaces in Confluence.
    • confluence search – Search Confluence.

    Jira

    • jira addcomment – Add a comment to an issue.
    • jira attach – Attach a file to an issue.
    • jira createissue – Create a new issue.
    • jira download – Download attachment(s) from an issue.
    • jira listattachments – List attachments on an issue.
    • jira listissues – List issues in Jira.
    • jira listprojects – List projects in Jira.
    • jira listusers – List Atlassian users.
    • jira searchissues – Search issues in Jira.

    Common Commands

    • help – Display more information on a specific command.

    Examples

    Here are a few examples of how to use AtlasReaper:

    • Search for a keyword in Confluence with wildcard search:

      .\AtlasReaper.exe confluence search –query “http*example.com*” –url $url –cookie $cookie

    • Attach a file to a page in Confluence:

      .\AtlasReaper.exe confluence attach –page-id “12345” –file “C:\path\to\file.exe” –url $url –cookie $cookie

    • Create a new issue in Jira:

      .\AtlasReaper.exe jira createissue –project “PROJ” –issue-type Task –message “I can’t access this link from my host” –url $url –cookie $cookie

    Authentication

    Confluence and Jira can be configured to allow anonymous access. You can check this by supplying omitting the -c/–cookie from the commands.

    In the event authentication is required, you can dump cookies from a user’s browser with SharpChrome or another similar tool.

    1. .\SharpChrome.exe cookies /showall

    2. Look for any cookies scoped to the *.atlassian.net named cloud.session.token or tenant.session.token

    Limitations

    Please note the following limitations of AtlasReaper:

    • The tool has not been thoroughly tested in all environments, so it’s possible to encounter crashes or unexpected behavior. Efforts have been made to minimize these issues, but caution is advised.
    • AtlasReaper uses the cloud.session.token or tenant.session.token which can be obtained from a user’s browser. Alternatively, it can use anonymous access if permitted. (API tokens or other auth is not currently supported)
    • For write operations, the username associated with the user session token (or “anonymous”) will be listed.

    Download