Dive Brief:
- Threat actors have ramped up activity against Atlassian’s Confluence, less than a week after a critical zero-day vulnerability was disclosed in the on-premise versions Confluence Server and Data Center.
- Since Atlassian released a security fix on June 3, more than 850 unique IP addresses have attempted to exploit the vulnerability, according to researchers at GreyNoise. Researchers said the first widespread exploit attempts began Saturday.
- “What we generally see with this type of mass exploitation is the bad guys trying to spin up their attacks as quickly as possible, to take advantage of security organizations that can’t patch or mitigate the vulnerabilities quickly enough,” GreyNoise researchers said through a spokesperson. “So a widespread vulnerability like Confluence ends up being a race against time to see who is faster – the attackers or the defenders.”
Dive Insight:
Confluence is a team workspace application used by about 75,000 customers, however most of those work in the cloud, which was not targeted by this vulnerability. The critical Object Graph Navigation Language (OGNL) vulnerability (CVE-2022-26134) could let an attacker remotely execute code in Confluence Data Center and Server.
Researchers said the scale of activity around this puts it in line with activity surrounding the Apache Log4j vulnerability (CVE-2021-44228). The volume might be due to the ease of exploiting this vulnerability, combined with the valuable information lodged in the Confluence database, which includes passwords, proprietary customer information and other confidential data.
The attacks appear to be quite targeted, in contrast to spray and pray attacks that were seen during Log4j, according to GreyNoise researchers. These attackers appear to be checking IP addresses to make sure the IP is running Confluence before they begin to attack.
Some of the observed exploit activity includes generic reverse shells, which allow for remote control of the server. Researchers are also seeing payloads with obfuscation, including code snippets meant to add Confluence servers to Mirai/Saru botnets.
Researchers at Cloudflare said they reviewed data indicating even earlier activity surrounding the exploit. After reviewing web application firewall (WAF) data, the company observed requests that matched potentially malicious payloads dating back to May 26.
Cloudflare said some of the activity it has seen is indicative of malware campaigns and botnet behavior.
The Cybersecurity and Infrastructure Security Agency updated its Known Exploited Vulnerabilities Catalog and federal agencies were ordered to disconnect from the application last week.