Researchers have discovered a critical vulnerability in Atlassian’s Confluence Enterprise Server application that allows attackers to execute malicious commands and reset servers. This vulnerability is currently being exploited by threat actors in attacks that aim to install ransomware.Thank you for reading this post, don't forget to subscribe!
Glenn Thorpe, a senior director of security research and identity engineering at security firm Grenoise, shared on Mastodon that the exploitation of the CVE-2023-22518 authentication bypass vulnerability in Atlassian Confluence Server has started on a large scale and poses a significant risk of data loss. He also mentioned that currently, all the attack IPs have targeted Ukraine.
According to Thorpe, three different IP addresses exploited the critical vulnerability between 12 a.m. and 8 a.m. on Sunday UTC. These attacks allowed the threat actors to restore the database and execute malicious commands. While one IP has stopped the attacks, Thorpe speculates that the exploitation attempts will continue.
Just one request is sufficient
A dfir report published screenshots that showed data collected during the observation of attacks. One of the screenshots displayed a ransomware group called C3RB3R making a demand.
Other screenshots revealed additional details, such as lateral activity in other parts of the victim’s network and the sources of the attacks.
Security firms Rapid7 and Tenable have also reported attacks starting over the weekend.
Rapid7 researchers Daniel Lydon and Connor Quinn stated, “As of November 5, 2023, Rapid7 is observing Atlassian Confluence exploitation in multiple customer environments, including managed detection and response (MDR) ransomware deployments. We have confirmed that at least some exploits are targeting CVE-2023-22518, which is an improper authorization vulnerability affecting Confluence Data Centers and Confluence Server.”
According to Rapid7’s observations, the exploits displayed similarities across multiple environments, indicating a widespread exploitation of on-premises Confluence servers. In some attack chains, Rapid7 observed post-exploit command execution that resulted in the deployment of Cerber ransomware on the exploited Confluence servers.
CVE-2023-22518 is widely known as an improper authorization vulnerability and can be exploited on Internet-facing Confluence servers by sending specially crafted requests to the setup-restore endpoints. Accounts hosted in Atlassian’s cloud environment are not affected by this vulnerability. Atlassian disclosed this vulnerability in a post, warning customers about the potential for significant data loss if exploited and urging them to take immediate action to protect their instances.
As the exploits become easier and more effective, threat groups are actively exploiting vulnerabilities before potential targets can defend themselves. Organizations running on-premises Confluence Servers exposed to the Internet should promptly apply patches or temporarily remove them from the Internet, if patching is not feasible. Another solution is to disable the following endpoints:
Atlassian has been urging affected customers to apply patches for nearly a week. Failing to follow these recommendations puts organizations at significant risk.