500,000+ computers compromised by malware hosted on Bitbucket
Bitbucket, the Atlassian Corp. Plc-owned git code hosting service, has been abused to compromise 500,000 computers globally, according to cybersecurity firm Cybereason Inc.
The hacking campaign involves using malware hosted on Bitbucket to deliver what the Cybereason describes as “an arsenal of malware that is able to steal data, mine for cryptocurrency and deliver ransomware to victims all over the world.”
Making the attack unique or perhaps suggesting that there is more than one group behind the abuse, the malware is all over the place.
Malware types detected include Predator, a type of malware designed to steal information including cryptocurrency wallets; Azorult, another information stealer that also has backdoor capabilities; Evasive Monero Miner, a cryptocurrency mining script; STOP Ransomware, ironically named ransomware that encrypts files and demands a ransom; Vidar, another information stealer that can also take screenshots; Amadey bot, a Trojan that is used to collect reconnaissance information; and finally IntelRapid, a cryptocurrency stealer that steals different types of cryptocurrency wallets.
On the good side, if that’s possible with more than 500,000 victims, is that Bitbucket disabled the malicious repositories within a few hours of being informed. That they existed on Bitbucket for a time without being detected remains a major concern, however.
“This research highlights an ongoing trend with cybercriminals where they abuse legitimate online storage platforms like Github, Dropbox, Google Drive and Bitbucket to distribute commodity malware,” Cybereason noted.
“We are constantly working to ensure that users do not store illegal information on Bitbucket or break our terms of service,” Atlassian said in a statement. “Atlassian Acceptable Use Policy does not allow content that “contains viruses, bots, worms, scripting exploits, or other similar materials.”
The company added that “as soon as we were informed of malware hosted on Bitbucket and confirmed the accuracy of the report, we disabled all the affected repositories. To help protect our services, we are continuing to invest in improving the automated capabilities we use to prevent misuse and enforce our terms of service.”
Erich Kron, security awareness advocate at security awareness training firm KnowBe4 Inc., told SiliconANGLE that this is an example of people being tempted with a free ride, but ending up in a bad place.
“Using the promise of free software that is otherwise rather expensive, these attackers are using our human nature against us in order to drop some pretty nasty malware onto people’s computers,” Kron said. “This type of emotional manipulation is common in phishing attacks, such as the long-running Nigerian Prince scam, where something valuable is offered for nothing.”
People need to be reminded that downloading “cracked” software is likely to carry a significant cost of its own in the long run, he added. “Instead, if a person really needs the software, they can look at subscription models, possible employer participation in programs that can get employees free or reduced price software, or even educational versions,” he said. “These are all better options than cracked versions.”
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.