Hackers launch widespread, focused assault on Atlassian Confluence using a currently unpatched vulnerability
In a concerning development, researchers at Cloudflare have detected malicious activity towards Atlassian's Confluence, specifically targeting the on-premise versions Confluence Server and Data Center. The activity, reminiscent of malware campaigns and botnet behaviour, has been ongoing since May 26, according to data reviewed by Cloudflare.
The critical Object Graph Navigation Language (OGNL) vulnerability (CVE-2022-26134) in Confluence Data Center and Server poses a potential security risk, as it could allow an attacker to execute code remotely. This vulnerability, similar in scale to the Apache Log4j vulnerability (CVE-2021-44228), has been exploited by threat actors who are checking IP addresses to ensure the IP is running Confluence before they begin their attacks.
The volume of exploit attempts might be due to the ease of exploiting this vulnerability and the valuable information lodged in the Confluence database. This includes passwords, proprietary customer information, and other confidential data. Attackers have been observed using generic reverse shells, which allow for remote control of the Confluence server.
Since GreyNoise researchers first identified the widespread exploit attempts beginning on Saturday, more than 850 unique IP addresses have attempted to exploit the vulnerability. However, no specific IP addresses for the attackers have been publicly listed in the available search results.
In response to the threat, the Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities Catalog. Federal agencies were ordered to disconnect from the Confluence application last week by CISA.
It's important to note that most Confluence users work in the cloud, which was not targeted by this vulnerability. However, for those using the on-premise versions, it is crucial to apply the security fix released by Atlassian on June 3 to mitigate the risk.
Researchers are also seeing payloads with obfuscation, including code snippets meant to add Confluence servers to Mirai/Saru botnets. As the situation continues to develop, it is essential for organisations to stay vigilant and take necessary precautions to protect their data and systems.
