The abuse of a critical vulnerability recently discovered in Atlassian’s Confluence product is now “widespread”, according to multiple security researchers.
The vulnerability is tracked as CVE-2023-22518, an authentication bypass flaw affecting all versions of Confluence Data Center and Confluence Server. It carries a severity score of 9.1, and was initially thought to allow hackers to destroy sensitive data, but not steal it.
A week after Atlassian sounded the alarm, Glenn Thorpe, senior director of security research and detection engineering at security firm GreyNoise, said that he’d observed hackers going after Ukrainian targets. This past Sunday, three different IP addresses were executing malicious commands on target endpoints. The attacks, he added, have since stopped.
C3RB3R and others
The DFIR Report, on the other hand, warned that a group under the name C3RB3R was using the flaw to somehow deliver ransomware to the targets. In other cases, hackers were using the vulnerability for lateral movement.
“As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment,” the company said.“We have confirmed that at least some of the exploits are targeting CVE-2023-22518, an improper authorization vulnerability affecting Confluence Data Center and Confluence Server.”
“In multiple attack chains, Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server.”
Atlassian addressed the vulnerability and patched Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.
Users are advised to apply the fix immediately. If, for any reason, they can’t do that, they should deploy mitigation measures, including backing up unpatched instances and blocking Internet access until they’re upgraded.
“Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch,” the company said.
Via ArsTechnica
