Apache.org hit by targeted XSS attack

Share this article:

The open-source Apache Software Foundation recently suffered a cross-site scripting (XSS) attack against its infrastructure that resulted in users' passwords being compromised.

The targeted attack allowed hackers to break into the server hosting Apache.org's issue and request tracking software, Atlassian JIRA, and steal encrypted passwords, the Apache Infrastructure team revealed in a blog post Tuesday. Hackers carried out the attack on April 5 by sending an error report to Apache and including a TinyURL link containing an XSS exploit. Several Apache administrators clicked on the link, compromising their sessions.

Encrypted passwords were ultimately stolen for users of the Apache-hosted JIRA issue tracking and project tracking software, Bugzilla bug tracking software, and Confluence enterprise collaboration and wiki software, Apache said.

“We believe the risk to simple passwords based on dictionary words is quite high, and most users should rotate their passwords,” the group said.

Along with the XSS attack, hackers simultaneously launched a brute-force attack, attempting hundreds of thousands of password combinations, against the JIRA login.jsp. On April 6, the brute-force method was successful and hackers gained administrator privileges on a JIRA account and were able to browse and copy the file system.

“The attackers used this access to create copies of many users' home directories and various files,” Apache said.

Three days after the successful brute-force attack, hackers installed a file that collected and saved all passwords when users logged on. In addition, they sent password reset messages to Apache's infrastructure team, which successfully duped members into revealing their passwords. One of these stolen passwords allowed attackers to gain full root access to a machine that hosted Apache installs of JIRA, Bugzilla and Confluence.

Shortly after the password reset, Apache's infrastructure team caught wind of the attack and began shutting down services and moving them to a different machine. By Tuesday, Atlassian provided a patch for JIRA to prevent the XSS attack.

JIRA and Bugzilla have been back online since Saturday, but the Confluence wiki still remains offline.

The Apache Software Foundation is a group that provides support for Apache's open-source software projects, including its popular web server.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.