Despite multiple warnings to patch a critical Atlassian Confluence vulnerability, a significant number of servers remain vulnerable as reports of widespread exploitation mount one week after public disclosure.
On Oct. 31, Atlassian published a security advisory detailing an improper authorization vulnerability, tracked as CVE-2023-22518, in its Confluence Data Center and Server products, which have been a popular target for attackers. The advisory urged users to upgrade to the fixed versions and included a message from Atlassian CISO Bala Sathiamurthy, who instructed customers to "take immediate action" or risk "significant data loss." That message was relayed again in a Nov. 2 update, though Atlassian said it had received no reports of active exploitation.
However, Atlassian customer reports of active exploitation started rolling in on Nov. 3, and the numbers continue to rise. Now, multiple cybersecurity vendors have observed widespread exploitation of vulnerable Confluence instances.
The threat was further highlighted with an updated CVSS score on Nov. 6 that included indicators of compromise.
"We have escalated CVE-2023-22518 from CVSS 9.1 to 10, the highest critical rating, due to the change in the scope of the attack," Atlassian wrote in the updated security advisory.
The advisory also warned that all on-premises versions of Confluence Data Center and Server are affected by the flaw, which could allow an unauthenticated attacker to eventually gain administrator account access. Atlassian said cloud instances are not vulnerable to CVE-2023-22518.
Exploitation of CVE-2023-22518 worsened as several security vendors began reporting ransomware activity.
Managed security service provider Huntress detailed post-exploitation activity in a blog post Tuesday that included evidence of ransomware deployment. Like other vendors, Huntress initially observed exploitation beginning on Nov. 3, only three days after the patch release. Huntress acknowledged that security teams were left with little time to respond.
"After gaining administrative access with the injected admin user, adversaries are free to install an Atlassian Web Shell plugin to execute code remotely, pilfer sensitive information from the Confluence spaces, or install ransomware," Huntress wrote in the blog.
Ransomware reports surface
In a blog post Monday, Red Canary warned that successful exploitation could lead to the deployment of Cerber ransomware, a strain that was discovered in 2016. The managed detection and response (MDR) vendor detected suspicious activity that led to an attempted Cerber ransomware deployment. However, the blog also revealed a potentially alarming attack timeline.
"It's worth noting that the first submission of the ransomware binary on VirusTotal was on November 1, 2023, suggesting that exploitation may have begun within 24 hours of initial disclosure of the CVE, which Atlassian released publicly on October 31, 2023," Red Canary wrote in the blog.
Rapid7 confirmed that its MDR team also observed "exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment." While the security vendor did not provide an exact number, researchers observed that "multiple attack chains" involved the same Cerber ransomware deployment following successful exploitation of CVE-2023-22518.
"Customers should update to a fixed version of Confluence on an emergency basis," Rapid7 wrote in the blog.
Caitlin Condon, head of vulnerability research at Rapid7, told TechTarget Editorial that as of Monday night, a favicon hash-based search revealed that 5,300 out of 5,600 internet-facing Confluence servers remained unpatched. "The query matters a great deal when estimating exposure, so it's possible other queries might raise different numbers," Condon said.
GreyNoise also reported a rapid uptick in exploitation beginning on Sunday. As of Monday, the security vendor told TechTarget Editorial that it observed five IP addresses using either VPNs or co-opted infrastructure to exploit the authentication bypass vulnerability. GreyNoise said it has 10 tags for current and previous Confluence weaknesses, and all but one show daily or weekly presence checks or exploit attempts.
CVE-2023-22518 is the second Atlassian Confluence vulnerability to be actively exploited over the past month. In early October, a Confluence zero-day flaw came under attack from a known nation-state threat group.
"That means attackers find Confluence a valuable exploitation target and work diligently to gain access to new installation and maintain access to existing ones," GreyNoise Labs said in a statement to TechTarget Editorial. "Researchers from GreyNoise Labs strongly encourage all organizations that have Confluence installation to patch and/or apply mitigations as soon as possible."
While it's clear that attackers are targeting and exploiting CVE-2023-22518 at a rapid rate, data shows that organizations remain slow to patch by comparison. Infosec experts and vendors attributed prolonged downtime as one reason for the lack of prompt patching.
When it comes to addressing the most recent Confluence vulnerability, Sandeep Singh, CTO and co-founder at ProjectDiscovery, listed several factors that contribute to patching problems. First is a lack of understanding of an organization's attack surface and insufficient scanning protocols.
"They might also be using tools that prioritize audit compliance over pinpointing genuinely exploiting vulnerabilities," Singh said in an email to TechTarget Editorial. "Effective defense necessitates a strategy that combines data from multiple sources to map out the entire attack landscapes. If they are using tools that create a lot of noise, they may have found the error, but are challenged to prioritize the results."
He recommended using tools that mimic an attacker's mindset and incorporating data from CISA's Known Exploited Vulnerabilities catalog to identify exploitable vulnerabilities. ProjectDiscovery released a detection-based template for the Confluence vulnerability on Nov. 2.
Tenable engineer Satnam Narang said that while it's not difficult to patch the vulnerability, the downtime could affect productivity as companies rely on Confluence for online collaboration and workspaces.
"When the CISO puts out a statement in an advisory, the severity is not lost on us. We knew it was just a matter of time before it would be exploited, and sure enough, this weekend we got confirmation from our partners at GreyNoise that widespread exploitation has begun," Narang said in an email.
GreyNoise emphasized to TechTarget Editorial that public-facing Confluence servers have a long history of remaining exposed to each new vulnerability that arises. The vendor attributed the problem to organizations' lack of security awareness. "Most organizations install software to 'get stuff done' and are not subscribed to vendor patch/security notices, nor pay close attention to media sources that might otherwise help them make informed decisions," GreyNoise said.
Condon attributed the patching problem to an overwhelming number of threats against organizations at any given time, paired with limited resources in some cases. "The latest Confluence CVE is one of at least half a dozen high-profile vulnerabilities in popular technologies that have either been exploited in the wild recently or that are at risk of imminent exploitation," she said.
Condon encouraged enterprises to install basic security program components such as vulnerability management capabilities and multifactor authentication, which she said can make a big difference in staving off many attacks.
In a statement to TechTarget Editorial, Atlassian said protecting its customers' data is the top priority.
"After discovering the unexploited vulnerability on October 31, 2023, we issued the Critical Security Advisory, urging customers to take immediate action. While there was still no known exploit, we issued another wave of communications on November 2, 2023, that noted the increased risk for any customers that had not yet applied the patch after observing publicly posted critical information about the vulnerability," Atlassian said. "On November 3, 2023, we warned customers of an active exploit and escalated this on November 6, 2023, following evidence of malicious activity, including ransomware attacks."
Atlassian again urged customers to take immediate action on unpatched instances.
Arielle Waldman is a Boston-based reporter covering enterprise security news.