Headline
Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover
An remote code execution (RCE) vulnerability in all versions of the popular Confluence collaboration platform can be abused in credential harvesting, cyber espionage, and network backdoor attacks.
UPDATE
A critical security vulnerability in Atlassian Confluence is under active attack, opening servers to full system takeover, security researchers warned.
The bug (CVE-2022-26134) is a command-injection issue that allows unauthenticated remote code execution (RCE), affecting all supported versions of Confluence Server and Confluence Data Center. According to a forensic investigation of two zero-day attacks by Volexity, it can be exploited without needing credentials or user interaction, simply by sending a specially crafted Web request to the Confluence system.
No Atlassian Cloud sites have been impacted.
Confluence is a remote working and corporate workspace suite used for project management and collaboration among teams. As such, it houses sensitive data on projects, specific users, and potentially partners and customers; also, it tends to be integrated with other corporate resources, servers, and systems. A successful exploit would allow attackers to vacuum up data from the platform as well as pivot to burrowing deeper into an organization’s network as a prelude to, say, a ransomware attack.
“By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks,” Volexity researchers noted.
Researchers have advised administrators to remove external access to their Confluence servers immediately until patches have been applied. In the meantime, Atlassian confirmed in its advisory that has rushed a fix, with patches rolling out towards the close of business ET on June 3.
A spokesperson told Dark Reading that the company has “contacted all potentially vulnerable customers directly to notify them of the fix.”
Zero-Day Atlassian Confluence Attacks
During its investigation, Volexity followed the path of attackers in two instances, which was the same in both. To start, the culprits exploited the vulnerability to create an interactive webshell (by writing a malicious class file in memory), which gave them persistent backdoor access to the server without having to write anything to disk.
After that, the firm observed that the threat actors dropped the Behinder implant on the server, which is an open source tool for creating flexible memory-only webshells. It also allows integration with Meterpreter and Cobalt Strike, two tools that are most often used for lateral movement. Meterpreter allows users to fetch various Metasploit modules (i.e., working exploits for known bugs), while Cobalt Strike is a pen-testing tool that’s often used by the bad guys to probe for and compromise new targets on the network.
Once Behinder was in place, Volexity found that the adversaries went on to install two additional webshells to disk: China Chopper and a custom file upload shell. China Chopper is a tool that’s been around for a decade, which allows attackers to retain access to an infected Web server using a client-side application. The client contains all the logic required to control the target, which makes it very easy to use.
Once this basic infection setup was in place, the attackers ran several commands, including those aimed at reconnaissance (checking the operating system, looking for password repositories); stealing information and user tables from the local Confluence database; and altering Web access logs to remove evidence of exploitation, Volexity said.
While the firm detected two zero-day attacks, it’s likely that the activity is more widespread. “Volexity has reason to believe this exploit is currently in use by multiple threat actors and that the likely country of origin of these attackers is China,” researchers said.
How to Prevent Confluence Compromise
The best option beyond patching to prevent compromise is simply to disable Confluence Server and Confluence Data Center instances, remove all external access, or use IP address safelisting rules to restrict access to only trusted endpoints, researchers noted. Organizations can also add Java deserialization rules that defend against RCE injection vulnerabilities to their Web application firewalls (WAFs).
It’s also important to uncover signs of any compromise, given that an infection can persist beyond patching.
“The presence of a webshell provides an attacker with the ability to maintain access to a compromised system even after a vulnerability like this one has been patched,” notes Satnam Narang, senior staff research engineer at Tenable. “We observed the same following exploitation of the ProxyShell vulnerability last year, where attackers implanted webshells onto vulnerable Microsoft Exchange Server instances.”
However, “these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities,” Volexity pointed out.
Volexity researchers offered the following advice:
- Ensure Internet-facing Web services have robust monitoring capabilities and log retention policies to assist in the event of an incident
- Send relevant log files from Internet-facing web servers to a SIEM or Syslog server
- Monitor child processes of Web application processes for suspicious processes (in this case, the Python shell is a good example of this)
If past is prologue, it’s good to be vigilant on this one: Attackers see Confluence as a popular target, as shown by the mass exploitation of another RCE flaw last fall, in volumes that were large enough to trigger a CISA alert.
“While there are currently no exploitation details or proof-of-concept for this vulnerability, we know from history that attackers relish the opportunity to target Atlassian products like Confluence,” Narang tells Dark Reading. “We strongly encourage organizations to review their mitigation options until patches are available.”
Greg Fitzgerald, co-founder at Sevco Security, also cautions organizations to take proactive steps to generally prevent zero-day attacks.
“Organizations vulnerable to this exploit cannot simply sit back and assume that this will be resolved through their typical patch management process," he tells Dark Reading. "When Atlassian releases a patch, that will be the first step for most organizations. But while patching vulnerabilities works great for the systems that you know about, the vast majority of enterprises simply don’t know the entirety of their attack surface. This is because maintaining an accurate IT asset inventory in a dynamic environment is exceptionally difficult. Threat actors figured that out a long time ago and work around the clock to exploit it. The first step to combating threats like this one is to establish a continuously updated, accurate inventory of all enterprise assets to serve as a foundational control for your security program.”
This post was updated at 4:45 ET to reflect that the bug is no longer unpatched.
Related news
By Deeba Ahmed Another day, another Linux malware! This is a post from HackRead.com Read the original post: New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps
Iranian nation-state actors have been conducting password spray attacks against thousands of organizations globally between February and July 2023, new findings from Microsoft reveal. The tech giant, which is tracking the activity under the name Peach Sandstorm (formerly Holmium), said the adversary pursued organizations in the satellite, defense, and pharmaceutical sectors to likely facilitate
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
By Waqas The V3G4 malware was caught leveraging several vulnerabilities in IoT devices to spread its infection from July to December of 2022. This is a post from HackRead.com Read the original post: Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks
Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]
A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations. "If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment
Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details.
Attackers almost immediately leapt on a just-disclosed bug, CVE-2022-26138, affecting Atlassian Confluence, which allows remote, unauthenticated actors unfettered access to Confluence data.
The 8220 cryptomining group has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021. "8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors," Tom Hegel of SentinelOne
Hello everyone! In this episode, I will try to revive Security News with a focus on Vulnerability Management. On the one hand, creating such reviews requires free time, which could be spent more wisely, for example, on open source projects or original research. On the other hand, there are arguments in favor of news reviews. […]
A cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners as part of a long-running campaign. "The updates include the deployment of new versions of a crypto miner and an IRC bot," Microsoft Security Intelligence said in a series of tweets on Thursday. "The group has actively updated its techniques and payloads
Swarms of breach attempts against the Atlassian Confluence vulnerability are likely to continue for years, researchers say, averaging 20,000 attempts daily as of this week.
A recently patched critical security flaw in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads. In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a crypto miner called z0miner
Most of the attacks involve the use of automated exploits, security vendor says.
A sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack. "The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks
In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.
Microsoft has warned of APT groups and ransomware authors exploiting the now patched Confluence vulnerability. We take a look at the dangers. The post “Multiple adversaries” exploiting Confluence vulnerability, warns Microsoft appeared first on Malwarebytes Labs.
This Metasploit module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.
Confluence suffers from a pre-authentication remote code execution vulnerability that is leveraged via OGNL injection. All 7.4.17 versions before 7.18.1 are affected.
The vulnerability remains unpatched on many versions of the collaboration tool and has potential to create a SolarWinds-type scenario.
China suspected in assaults against enterprises running collaboration platform
Atlassian on Friday rolled out fixes to address a critical security flaw affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution. Tracked as CVE-2022-26134, the issue is similar to CVE-2021-26084 — another security flaw the Australian software company patched in August 2021. Both relate to a case of
Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this... [[ This is only the beginning! Please visit the blog for the complete entry ]]
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
A vulnerability in Atlassian Confluence was found by performing an incident response investigation on a compromised server. The vulnerability is not yet patched. The post Unpatched Atlassian Confluence vulnerability is actively exploited appeared first on Malwarebytes Labs.
Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild. The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134. "Atlassian has been made aware of current active exploitation of a