HellCat Hackers Go on a Worldwide Jira Hacking Spree
Ascom, a Swiss global solutions provider with subsidiaries in 18 countries, has confirmed that its IT infrastructure was breached by a hacker group known as Hellcat. The company announced the attack on Sunday, stating that hackers targeted its technical ticketing system using compromised credentials.
The HellCat hacking group claimed responsibility for the attack and told BleepingComputer that they stole approximately 44GB of data, which may impact all of Ascom's divisions. According to Ascom, however, the incident had no impact on the company's business operations, and customers and partners do not need to take any preventive action.
Ascom is working closely with relevant authorities to investigate the incident and initiate criminal proceedings against those responsible. The company did not provide technical details about the breach but confirmed that targeting the Jira ticketing system has become a common attack method for HellCat hackers.
The HellCat Hacking Group: A Pattern of Jira Breaches
The same hacking group, previously responsible for breaches at Schneider Electric, Telefónica, and Orange Group, has now taken responsibility for an attack on the British multinational car maker Jaguar Land Rover (JLR). In this incident, the hackers stole and leaked about 700 internal documents, including "development logs, tracking data, source codes," and an employee's sensitive information.
Alon Gal, co-founder and CTO at threat intelligence company Hudson Rock, notes that the JLR breach follows a pattern specific to HellCat hackers. The technique used by the group to exploit Jira credentials harvested from compromised employees who were infected with Infostealers is becoming increasingly common among HellCat hackers.
The Rise of Jira as a Prime Target
According to Alon Gal, Jira has become a prime target for attackers due to its centrality in enterprise workflows and the wealth of data it houses. The platform often contains sensitive information, such as source code, authentication keys, IT plans, customer information, and internal discussions related to projects.
GAL warns that Jira credentials collected by infostealers are easy to find and remain unchanged for years due to companies' failure to include them in a regular rotation process. As a result, attacks on Jira will likely become more frequent.
New Target: Affinitiv's Jira System
HellCat hackers have now announced that they have compromised the Jira system of Affinitiv, a marketing company providing data analytics to OEMs and dealerships in the automotive industry. The threat actor disclosed publicly that they had stolen a database with over 470,000 unique emails and more than 780,000 records.
When contacted by BleepingComputer about the alleged attack, Affinitiv confirmed that they had begun an investigation. To prove the breach, hackers published two screenshots with names, email addresses, postal addresses, and dealership names.
The Importance of Jira Security
Gary Heslov, a security researcher at Google, notes that Jira's centrality in enterprise workflows makes it a prime target for attackers. He emphasizes the importance of implementing robust security measures to protect sensitive data on Jira servers.
"It's crucial for organizations to regularly update their credentials and implement multi-factor authentication to prevent credential-based attacks," Heslov said.
Preventing Future Attacks
To defend against HellCat hackers, it is essential to adopt a layered security approach. This includes implementing regular software updates, using strong passwords, and enabling two-factor authentication for Jira credentials.
Avoiding the use of compromised credentials can also help prevent attacks. Companies should regularly rotate their credentials to minimize the risk of exploitation by infostealers.