Headline
Attackers Use Public Exploits to Throttle Atlassian Confluence Flaw
The vulnerability remains unpatched on many versions of the collaboration tool and has potential to create a SolarWinds-type scenario.
The vulnerability remains unpatched on many versions of the collaboration tool and has potential to create a SolarWinds-type scenario.
Threat actors are using public exploits to pummel a critical zero-day remote code execution (RCE) flaw that affects all versions of a popular collaboration tool used in cloud and hybrid server environments and allows for complete host takeover.
Researchers from Volexity uncovered the flaw in Atlassian Confluence Server and Data Center software over the Memorial Day weekend after they detected suspicious activity on two internet-facing web servers belonging to a customer running the software, they said in a blog post published last week.
The researchers tracked the activity to a public exploit for the vulnerability, CVE-2022-26134, that’s been spreading rapidly, and subsequently reported the flaw to Atlassian. As observed by Volexity researchers, what’s being described as an “OGNL injection vulnerability” appears to allow for a Java Server Page (JSP) webshell to be written into a publicly accessible web directory on Confluence software.
“The file was a well-known copy of the JSP variant of the China Chopper webshell,” researchers wrote. “However, a review of the web logs showed that the file had barely been accessed. The webshell appears to have been written as a means of secondary access.”
Atlassian released a security advisory the same day that Volexity went public with the flaw, warning customers that all supported version of Confluence Server and Data Center after version 1.3.0 were affected and that no updates were available. This prompted the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) to issue a warning of its own about the flaw.
A day later, Atlassian released an update that fixes the following versions of the affected products: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1; it’s also strongly recommending that customers update as soon as they can. If that’s not possible, the company provided in the advisory what it stressed is a “temporary” workaround for the flaw by updating a list of specific files that correspond to specific versions of the product.
Threat Escalation
In the meantime, the situation is escalating quickly into one that security professionals said could reach epic proportions, with exploits surfacing daily and hundreds of unique IP addresses already throttling the vulnerability. Many versions of the affected products also remain unpatched, which also creates a dangerous situation.
“CVE-2022-26134 is about as bad as it gets,” observed Naveen Sunkavalley, chief architect of security firm Horizon3.ai, in an email to Threatpost. Key issues are that the vulnerability is quite easy both to find and exploit, with the latter possible using a single HTTP GET request, he said.
Moreover, the public exploits recently released that allow attackers to use the flaw to enable arbitrary command execution and take over the host against a number of Confluence versions—including the latest unpatched version, 7.18.0, according to tests that Horion3.ai has conducted, Sunkavaley said.
Indeed, Twitter was blowing up over the past weekend with discussions about public exploits for the vulnerability. On Saturday, Andrew Morris, the CEO of cybersecurity firm GreyNoise tweeted that they had begun to see 23 unique IP addresses exploiting the Atlassian vulnerabilities. On Monday, Morris tweeted again that the number of unique IP addresses attempting to exploit the flaw had risen to 400 in just a 24-hour period.
****Potential for a SolarWinds 2.0?****
Sunkavalley pointed out that the most obvious impact of the vulnerability is that attackers can easily compromise public-facing Confluence instances to gain a foothold into internal networks, and then proceed from there to unleash even further damage.
“Confluence instances often contain a wealth of user data and business-critical information that is valuable for attackers moving laterally within internal networks,” Sunkavalley said.
What’s more, the vulnerability is a source-code issue, and attacks at this level “are some of the most effective and long reaching attacks on the IT ecosystem,” observed Garret Grajek, CEO of security firm YouAttest.
The now-infamous Solarwinds supply-chain attack that started in December 2020 and extended well into 2021 was an example of the level of damage and magnitude of threat that embedded malware can have, and the Confluence bug has the potential to create a similar scenario, he said.
“By attacking the source code base the hackers are able to manipulate the code to become, in fact, agents of the hacking enterprise, cryptographically registered as legitimate components on the IT system,” Grajek said.
For this reason, it’s “imperative that enterprises review their code and most importantly the identities that have control of the source system, like Atlassian, to ensure restrictive and legitimate access to their vital code bases,” he asserted.
Related news
By Deeba Ahmed The 8220 gang, believed to be of Chinese origins, was first identified in 2017 by Cisco Talos when they targeted Drupal, Hadoop YARN, and Apache Struts2 applications for propagating cryptojacking malware. This is a post from HackRead.com Read the original post: 8220 Gang Targets Telecom and Healthcare in Global Cryptojacking Attack
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
By Waqas The V3G4 malware was caught leveraging several vulnerabilities in IoT devices to spread its infection from July to December of 2022. This is a post from HackRead.com Read the original post: Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks
Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]
A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations. "If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment
Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details.
Attackers almost immediately leapt on a just-disclosed bug, CVE-2022-26138, affecting Atlassian Confluence, which allows remote, unauthenticated actors unfettered access to Confluence data.
The 8220 cryptomining group has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021. "8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors," Tom Hegel of SentinelOne
Hello everyone! In this episode, I will try to revive Security News with a focus on Vulnerability Management. On the one hand, creating such reviews requires free time, which could be spent more wisely, for example, on open source projects or original research. On the other hand, there are arguments in favor of news reviews. […]
A cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners as part of a long-running campaign. "The updates include the deployment of new versions of a crypto miner and an IRC bot," Microsoft Security Intelligence said in a series of tweets on Thursday. "The group has actively updated its techniques and payloads
Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.
A recently patched critical security flaw in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads. In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a crypto miner called z0miner
Most of the attacks involve the use of automated exploits, security vendor says.
A sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack. "The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks
Microsoft has warned of APT groups and ransomware authors exploiting the now patched Confluence vulnerability. We take a look at the dangers. The post “Multiple adversaries” exploiting Confluence vulnerability, warns Microsoft appeared first on Malwarebytes Labs.
This Metasploit module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.
Confluence suffers from a pre-authentication remote code execution vulnerability that is leveraged via OGNL injection. All 7.4.17 versions before 7.18.1 are affected.
China suspected in assaults against enterprises running collaboration platform
Atlassian on Friday rolled out fixes to address a critical security flaw affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution. Tracked as CVE-2022-26134, the issue is similar to CVE-2021-26084 — another security flaw the Australian software company patched in August 2021. Both relate to a case of
Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this... [[ This is only the beginning! Please visit the blog for the complete entry ]]
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
An remote code execution (RCE) vulnerability in all versions of the popular Confluence collaboration platform can be abused in credential harvesting, cyber espionage, and network backdoor attacks.
A vulnerability in Atlassian Confluence was found by performing an incident response investigation on a compromised server. The vulnerability is not yet patched. The post Unpatched Atlassian Confluence vulnerability is actively exploited appeared first on Malwarebytes Labs.
Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild. The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134. "Atlassian has been made aware of current active exploitation of a