Welcome! Threats to Atlassian Confluence prompt calls for rapid patching
The vulnerability (tracked as CVE-2022-26134) opens the door for even unauthenticated attackers to achieve RCE on unpatched systems, with all supported versions of Confluence Server and Data Center affected. End-of-life versions are also likely to be impacted, but this is unconfirmed.
Users are urged to apply patches published by Atlassian, the software developer behind Confluence, on Friday (June 3). Enterprises unable to patch should apply the recommended workarounds, as explained in an advisory by Atlassian.
The US Cybersecurity and Infrastructure Security Agency (CISA) advises US federal agencies to block internet traffic to Confluence Server and Data Center installs and apply Atlassian’s patch or remove affected instances by the close of business on Monday, June 6.
Attacks against the vulnerability on internet-facing Atlassian Confluence servers have been logged by threat response specialists at both Volexity and Rapid7’s Managed Detection and Response (MDR) team.
Volexity reports that attacks began last week on what was at the time a zero-day vulnerability in Atlassian Confluence Server. The RCE vulnerability was used to deploy an in-memory Java-based web server implant, known as ‘Behind’, in an attempt to evade detection.
“Once Behinder was deployed, the attacker used the in-memory web shell to deploy two additional web shells to disk: CHINA CHOPPER and a custom file upload shell,” Volexity explains in a technical blog post.
The tools and technique behind the attack have allowed Volexity threat researcher Paul Rascagnères to identify China as the most likely suspect.
Confluence is a popular web-based collaboration software platform. The Daily Swig asked Volexity to offer an estimate on the number of vulnerable internet-facing Confluence servers as well as speculating on the end goal of the attacks.
No word back, as yet, but we’ll update this story as and when more information comes to hand.