“Multiple adversaries” exploiting Confluence vulnerability, warns Microsoft

Microsoft has warned that “multiple adversaries and nation-state actors” are making use of the recent Atlassian Confluence RCE vulnerability. A fix is now available for CVE-2022-26134. It is essential users of Confluence address the patching issue immediately.

Confluence vulnerability: Background

At the start of June, researchers discovered a vulnerability in Atlassian Confluence via an incident response investigation. Confluence, a Wiki-style collaboration tool, experienced a “critical unauthenticated remote code execution vulnerability”. It affected Confluence server and Confluence Data Center.

The attack discovered during the investigation revealed web shells deployed on the server. These web shells allow for Persistent access on compromised web applications. The web server process and its child processes ran as root and full privileges. This is very bad news, and allowed for execution of commands even without valid credentials.

Worse, the web shell found is one commonly used by various Advanced Persistent Threat (APT) groups. This almost certainly isn’t the kind of thing admins discovering an attack want to hear mid-investigation.

Unfortunately, mitigation advice was somewhat limited. It veered between restricting access to just turning off Confluence Server and Data Center instances. On June 3, Atlassian released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contained a fix for this vulnerability.

The current situation

Here’s the latest observations from Microsoft:

Multiple adversaries and nation-state actors, including DEV-0401 and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134. We urge customers to upgrade to the latest version or apply recommended mitigations: https://t.co/C3CykQgrOJ

— Microsoft Security Intelligence (@MsftSecIntel) June 11, 2022

Microsoft continues:

In many cases impacted devices have been observed with multiple disparate instances of malicious activity, including extensive device and domain discovery, and the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware.

A mixed bag of attacks

Industrious malware authors really have been having a grand time of things with this vulnerability. As noted by Microsoft, several varied approaches to compromise and exploitation are being used. AvosLocker Ransomware and Linux botnets are getting in on the action. Cryptomining jumping on the bandwagon is an inevitability across most scams we see, and this is no exception.

Microsoft also noticed the Confluence vulnerability being exploited to download and deploy Cerber2021 ransomware. The Record observed that Cerber2021 is a “relatively minor player”, with both Windows and Linux versions used to lock up machines. Here’s an example of the ransomware, via MalwareHunterTeam:

There is a ransomware currently active that is calling itself Cerber.
Has Windows & Linux versions.
Looks started to spread in the first half of November. IDR seen both Linux (multiple victims got git files encrypted) & Windows user victims already from different countries.


— MalwareHunterTeam (@malwrhunterteam) December 4, 2021

Having the fixes to address this issue is great, but organisations need to actually make use of them. This is still a serious problem for anyone using unpatched versions of affected Confluence installations.

If you don’t want to run the gauntlet of APT groups, cryptomining chancers, botnets and more, the message is loud and clear: get on over to the Confluence Download Archives and patch immediately.

The post “Multiple adversaries” exploiting Confluence vulnerability, warns Microsoft appeared first on Malwarebytes Labs.

Article Link: "Multiple adversaries" exploiting Confluence vulnerability, warns Microsoft | Malwarebytes Labs