top | item 47148459

(no title)

The threat model I imagined here was:

1. Initial access to physical machine, most likely via phishing malware, reckless employees downloading untrusted content, or bad luck.

2. Malware looks for browser cookies, hoping to steal temporary credentials but instead gains persistent creds, which grant Jira access. People re-use passwords; malware tries this password against AdUser and any other systems or other corp user accounts it can find

3. Direct Jira access used to pivot, that custom Jira app is probed for app vulns (likely given design).

discuss

Dylan16807|5 days ago

So with a better system the malware has to wait an extra couple hours to get the password (by dropping the non-password authentication cookie and making the user log in again), and it can still prod Jira in the meantime. That doesn't strike me as a very big difference. It's an improvement in security but not a big one.

tosti|5 days ago

More likely:

1. Get e-mail from boss, look at headers, find boss IP addy

2. Failing that, memorize boss office number or workstation tag, run stealthy network scan, do reverse dns lookup

3. Be a router, arp spoof mitm attack

4. ?????

5. Profit