Swiss telecommunications company Ascom has recently reported a cyberattack affecting its IT infrastructure, attributed to the notorious hacker group known as HellCat. The attack specifically targeted Ascom’s Jira servers, resulting in the compromise of credentials and unauthorized access to sensitive data. The company confirmed the breach through a press release on Sunday, indicating that they are actively investigating the incident.
HellCat has claimed responsibility for the attack, suggesting that they successfully extracted approximately 44GB of data, which may affect various divisions within Ascom. Despite the gravity of the breach, Ascom has stated that there has been no impact on its ongoing business operations, and both customers and partners are not required to take any immediate protective measures. This is an important assertion that underscores the measures the company has in place to protect its wider business functions.
In a statement to BleepingComputer, a member of the HellCat group elaborated on the nature of the stolen data, which reportedly includes source code for multiple products, project details, invoices, and confidential documents alongside issues from the compromised ticketing system. The targeted use of Jira systems for such breaches has become a recurring theme among HellCat’s activities, highlighting a worrying trend in the cybersecurity landscape.
Jira, a widely used project management and issue tracking platform popular among IT and software development teams, often contains sensitive business information. This includes source codes, authentication keys, internal IT plans, and customer data, making it a prime target for cybercriminals. Past incidents involving HellCat have involved similar tactics, with confirmed breaches reported by companies such as Schneider Electric, Telefónica, and Orange Group, all stemming from vulnerabilities in their Jira servers.
Adding to their portfolio of attacks, HellCat recently issued a breach notice regarding British automotive manufacturer Jaguar Land Rover, where they leaked around 700 internal documents. This breach included sensitive employee data, exposing usernames, emails, and other personal information. Such activities underscore the specific pattern seen in HellCat’s operations, particularly their exploitation of compromised Jira credentials sourced from employees infected by infostealer malware.
According to cybersecurity expert Alon Gal, co-founder and CTO of Hudson Rock, the JLR incident was facilitated by utilizing credentials from an LG Electronics employee with third-party access to Jaguar’s Jira server. This highlights a significant concern regarding the longevity of compromised credentials, which sometimes remain valid for years without being updated—a vulnerability that cybercriminals can exploit.
HellCat’s activities did not end with Ascom and Jaguar Land Rover. The group announced their breach of Affinitiv, a marketing firm serving the automotive industry, through its Jira system. They disclosed to BleepingComputer that over 470,000 unique email addresses and more than 780,000 records were obtained as a result of this incursion. Affinitiv has since initiated an investigation into the alleged attack.
The leaked data from Affinitiv was evidenced through screenshots showcasing client information, including names and addresses. Such breaches point to a broader issue: the attractiveness of Jira as a target due to its central role in enterprise workflows. As Alon Gal notes, this type of access allows attackers not only to extract sensitive information but also to laterally move through networks and elevate their privileges.
As cyber threats continue to evolve, business owners must remain vigilant, especially considering the rising frequency of such breaches. The tactics employed by HellCat, particularly their focus on exploiting compromised Jira credentials through initial access techniques and privilege escalation, align with adversary behaviors outlined in the MITRE ATT&CK framework. This framework serves as a crucial tool for understanding potential attack vectors and improving organizational defenses.
In conclusion, the repeated targeting of Jira servers underscores a pressing need for robust cybersecurity practices that prioritize credential management and regular audits of sensitive data access points. As cybercriminals adapt to and exploit existing vulnerabilities, the onus remains on organizations to fortify their defenses against such increasingly sophisticated attacks.
