Critical Atlassian Confluence flaw remains under attack

A remote code execution flaw in Atlassian's developer tools has morphed into a ransomware threat.

The vulnerability, which affects on-premises versions of Atlassian Confluence Data Center and Server products, was first disclosed on June 3 amid reports of exploitation in the wild and patched the following day. Researchers with Microsoft say the bug, designated CVE-2022-26134, has now been abused by ransomware threat actors in the wild.

In particular, Microsoft researchers observed the flaw being exploited by hackers to deploy the Cerber 2021 ransomware package. Targeted machines were loaded with not only the ransomware package, but a host of traditional malware, including cryptocurrency miners and lateral movement tools.

"In many cases impacted devices have been observed with multiple disparate instances of malicious activity, including extensive device and domain discovery, and the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware," Microsoft's Security Intelligence team wrote in a tweet Friday.

In addition, Microsoft noted the vulnerability was being exploited by threat actors and nation-state groups, including a China-based group Microsoft tracks as DEV-0401. Microsoft earlier this year observed DEV-0401 exploiting the Log4Shell flaw to deploy a new ransomware variant known as Night Sky.

Microsoft isn't the only party to observe continued exploitation of the vulnerability. The Shadowserver Foundation, a nonprofit infosec organization, told SearchSecurity its researchers also noted an uptick in attacks, with as many as 5,000 servers still vulnerable to exploits.

Administrators are being advised to update their Atlassian Confluence Data Center and Server installations as soon as possible to stem the tide of attacks.

The Atlassian Confluence vulnerability is a remote code execution vulnerability stemming from the way servers handle Open Graph Navigation Language (OGNL) Java code. In this case, an attacker could inject commands into a packet of OGNL data, enabling the aggressor to execute commands they would otherwise not be able to do. In the worst case, those commands would include launching a web shell and providing total command over a server.

"Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server," Atlassian said in an advisory for the flaw.  "The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance."

Understandably, the bug was listed as a critical vulnerability and given a top priority for patching. A NIST rating of 9.8 indicates the vulnerability is a serious security threat for enterprises, particularly now that it's being actively targeted.

Patching the vulnerability depends on the active version of the Atlassian Confluence software, but fixed versions will include those on or later than 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.