You may never have heard of Atlassian, or be unaware of the recent alert, issued by US Cyber Command on Friday 3rd September, about the ongoing attempts to hack into a piece of software called Atlassian Confluence - but it should be a timely reminder that even if you don’t build software, you may still be impacted by cyber attacks as the end point of a ‘supply chain’.
Atlassian is a company that makes software predominantly for software developers and development companies. Their products are designed to help manage code and development processes for software teams and include Jira - a tool for issue tracking and Agile project management (Agile - a popular method for managing software development), Bitbucket - a platform for storing and managing code (typically called a ‘code repository’) and Confluence - a system for storing information and notes, wiki-style, so that teams can collaborate during development.
Atlassian’s Confluence software has recently come under attack as reported by US Cyber Command & Cyber National Mission Force (CNMF) on twitter and highlighted by Hacker News and other publications, as the result of a critical security vulnerability that could be used to take over a victim’s Confluence platform. It appears that potential hackers are well aware of the problem and that attackers from all around the world have been attempting to take advantage of the weakness in the system.
Atlassian are aware of the risk and have already issued a patch, but inevitably there will be many users who have not caught up with the news or responded by updating their systems.
If you are a software developer or software company and you use Confluence in-house then you should urgently upgrade your platforms as soon as possible.
“This is all very interesting, but I’m not a software company, so why should this affect me?”
Well, indeed, it may well be the case that this is nothing other than interesting news and another example of a vulnerability that affects someone else, but if you have a website or application that you didn’t build yourself, then presumably it was built by someone else.
Your software partner or developer may well have used (or is using) a product like Atlassian during the development process. If that is the case, then you have just found yourself part of the software supply chain.
“But what then is the risk to me?”
There are several risks identified here - first is the risk that hackers could use this vulnerability as a ‘stepping stone’ to create more damage, by penetrating your supplier’s Confluence software and then using that to access the code used to create your website or application. After that they have a world of opportunities to compromise your software.
Secondly, although Confluence isn’t in itself a repository of your code, it is often used to record sensitive data. Developers will use Confluence to store configuration data used whilst building your website or application - that could include passwords and usernames, information on how to log into servers and databases, and information about how your application has been built - all valuable secrets that a hacker can go on to exploit later.
“This sounds scary, what can I do?”
Don’t panic, but do find out what your software supplier is doing. It may well be that this issue has no impact on you whatsoever; Atlassian is not the only product out there, and although it is enormously popular with software companies, it is not used by all of them. Many users of Atlassian will also be using the online ‘cloud’ version, which would have been patched immediately, although they should still be checking their systems to ensure that they were not hacked.
Equally it might be the case that your website has been built without using any of these tools, or indeed without any ‘custom’ software development (although this might imply that your developer used someone else’s software, so the rabbit hole might just get deeper)
Even if all the above is true and there is no risk to your website, this is a good moment for you to understand what your development partner does, and to what extent they understand the risks, and take care of any sensitive data and information they have. Check that your supplier always conducts suitable security checks before they release software or updates to your website or application; and that if they use 3rd party software or plugins etc, that they also security check those before deploying them.
If your supplier has access to information like usernames and passwords, accounts that allow them to access your website, databases or servers, or data on how your system works, then ensure that they are handling that information with due care; you might be surprised to find out how far sensitive information might have spread and who has access to your website code and data - remember, that, for example, if you ever suffer from a data breach it will be you that’s held responsible, whether that’s in legal court, or in the court of public opinion.
Your supplier should of course be implementing best practice around secure software development, including restricting access to sensitive data based on the concept of ‘ least privilege’ (i.e. only those who need to know, know a thing) and always carrying out security tests and checks before code is released, for example by removing all test code, data and accounts from a website before going live.
It’s highly likely that they do indeed do all these things - but you won’t know until you ask...