Critical Atlassian Confluence zero-day actively used in attacks

by | Jun 3, 2022 | News

Atlassian Confluence zero-day vulnerability

Post Views: 554

Premium Content

patreon

Subscribe to Patreon to watch this episode.

 

Reading Time: 2 Minutes

Hackers are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134 to install web shells, with no fix available at this time.

 

 

Today, Atlassian released a security advisory disclosing that CVE-2022-26134 is a critical unauthenticated, remote code execution vulnerability tracked in both Confluence Server and Data Center.

Atlassian says that they confirmed the vulnerability in Confluence Server 7.18.0 and believe that Confluence Server and Data Center 7.4.0 and higher are also vulnerable.

The advisory warns that threat actors are actively exploiting Confluence Server 7.18.0.

As there are no patches available, Atlassian is telling customers to make their servers inaccessible by one of these two methods:

  • Restricting Confluence Server and Data Center instances from the internet.

  • Disabling Confluence Server and Data Center instances.

There are no other ways to mitigate this vulnerability.

Organizations that use Atlassian Cloud (accessible via atlassian.net) are unaffected by this vulnerability.

Atlassian is actively working on a patch and will release further information in their advisory when it becomes available.

The Cybersecurity and Infrastructure Security Agency (CISA) has added this zero-day to its ‘Known Exploited Vulnerabilities Catalog‘  and is requiring federal agencies to block all internet traffic to Confluence servers by tomorrow, June 3rd.

 

 

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

 

 

 

Solutions

 

 

Servers exploited for initial access

 

In a coordinated disclosure, cybersecurity firm Volexity explained that the vulnerability was discovered over the Memorial Day weekend while performing incident response.

After conducting the investigation, Volexity could reproduce the exploit against the latest Confluence Server version and disclosed it to Atlassian on May 31st.

“After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from an attacker launching an exploit to achieve remote code execution,” explains a blog post by Volexity.

“Volexity was subsequently able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server.”

In the breach analyzed by Volexity, threat actors installed BEHINDER, a JSP web shell that allows threat actors to execute commands on the compromised server remotely.

 
 
 
 
 
 
 

See Also: Malicious PyPI package opens backdoors on Windows, Linux, and Macs

 

 

 

 

See Also: Offensive Security Tool: Arjun

 

 

The threat actors then used BEHINDER to install the China Chopper web shell and a simple file upload tool as backups.

From Volexity’s investigation, the threat actors dumped the user tables of the Confluence server, wrote additional webshells, and altered access logs to evade detection.

Volexity says that they believe the multiple threat actors from China are utilizing these exploits.

As there are no patches available, Volexity also recommends that Confluence admins disconnect their servers from the Internet until Atlassian releases a fix.

Volexity has released a list of IP addresses behind the attacks and Yara rules to identify web shell activity on Confluence servers.

 

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

See Also: The Difference between Vulnerability Assessment and Pentesting

 

Source: bleepingcomputer.com

Source Link

 

 

 

 

 

Merch

Share This