Ransomware groups are now targeting a newly patched and actively exploited remote code execution (RCE) flaw impacting Atlassian Confluence Server and Data Center installations for first access to corporate networks. When properly exploited, this OGNL injection flaw (CVE-2022-26134) allows unauthenticated attackers to remotely take over unpatched systems by establishing new admin accounts and running arbitrary code.
Proof-of-concept exploits were also posted online shortly after active exploitation was revealed in the wild. Atlassian corrected the flaw, decreasing the skill level necessary for exploitation even more. Multiple botnets and threat actors are abusing this security weakness and the previously accessible vulnerabilities in the wild to distribute cryptomining malware, demonstrating the severity of the flaw and the already available exploits.
According to analysts at Swiss cyber threat intelligence firm Prodaft, AvosLocker ransomware affiliates have already hopped on the bandwagon. They are currently focusing on internet-exposed Confluence servers yet left unpatched “to infect multiple victims on a mass scale systematically.”
“By performing mass scans on various networks, AvosLocker threat actors search for vulnerable machines used to run Atlassian Confluence systems,” told Prodaft. “AvosLocker has already managed to infect multiple organizations from different parts of the globe; including but not limited to the United States, Europe, and Australia.”
Several victims revealed that Cerber2021 ransomware (also known as CerberImposter) is aggressively targeting and encrypting Confluence instances that aren’t patched against CVE-2022-26134. ID-Ransomware developer Michael Gillespie said that CerberImposter uploads include encrypted Confluence configuration files, indicating that Confluence instances are being encrypted in the wild.
The release of CVE-2022-26134 proof-of-concept vulnerabilities corresponds with an uptick in successful Cerber ransomware operations. Microsoft also revealed late Friday that Confluence servers had been used to deploy Cerber2021. Cerber previously attacked Confluence servers throughout the world in December 2021, exploiting CVE-2021-26084 vulnerabilities that allow unauthenticated attackers to obtain remote code execution on susceptible systems.
CISA has instructed federal agencies to remediate the weakness by barring all internet communication to Confluence servers on their networks after cybersecurity firm Volexity published CVE-2022-26134 as an actively exploited zero-day bug last week. According to Volexity, several China-linked threat actors are likely employing vulnerabilities to target weak servers and create web shells.
One day after the information on this actively exploited problem was disclosed, Atlassian offered security fixes and recommended customers to fix their installations to prevent ongoing attacks. If you can’t upgrade your Confluence Server and Data Center instances right now, you can use a temporary workaround outlined here, which involves upgrading certain JAR files on the Confluence server.