Active exploit of Atlassian Confluence
Threat update
This Cybersecurity Threat Advisory details the exploitation of the critical vulnerability CVE-2023-22518 in the Atlassian Confluence Data Center and Server. Attackers are deploying a Linux variant of Cerber (aka C3RB3R) ransomware. This allows unauthenticated attackers to reset Confluence and create administrator accounts, granting them complete control over affected systems.
Technical Detail and Additional Info
What is the threat?
CVE-2023-22518 is being exploited to gain a foothold on the targeted Atlassian Confluence application servers. This critical vulnerability allows an unauthenticated attacker to reset the application and establish a new administrator account.
Here is the exploit chain:
- Attacker leverages CVE-2023-22518 to reset Confluence and create an admin account.
- The attacker utilizes the newly acquired admin privileges to install the Effluence web shell plugin, granting remote code execution capabilities.
- The Effluence web shell is employed to download and execute the primary Cerber ransomware payload.
Why is it noteworthy?
The exploit targets a vulnerability in Atlassian's software, allowing remote attackers to execute arbitrary code on vulnerable systems. Threat actors have utilized this vulnerability to deploy a variant of the Cerber ransomware tailored for Linux environments. The exploit likely involves sending crafted requests to the affected Atlassian products, resulting in the execution of malicious code.
What is the exposure or risk?
The vulnerability has a high CVSS score of 9.1 due to the ease of exploitation, remote access potential, and data encryption consequences. Organizations utilizing unpatched Atlassian Confluence Server or Data Center versions are at risk. There could be potential losses, including encrypted data, data exfiltration, operational disruption, financial losses due to downtime, and potential ransom demands.
What are the recommendations?
LBT Technology Group recommends the following actions to secure your Atlassian servers against this threat:
- Update Confluence to the latest patched version as soon as possible.
- Limit external access to Confluence servers, implementing firewalls and access control lists to mitigate unauthorized attempts.
- Implement strong and unique passwords for all Confluence user accounts, particularly administrative accounts. Utilize multi-factor authentication (MFA) for an additional security layer.
- Maintain regular and secure backups of critical data to facilitate recovery in case of a ransomware attack.
- Educate employees on cybersecurity best practices, including phishing email identification and avoiding suspicious attachments or links.
References
For more in-depth information about the recommendations, please visit the following links:
- https://gbhackers.com/cerber-linux-ransomware/
- https://thehackernews.com/2024/04/critical-atlassian-flaw-exploited-to.html
- https://securitybrief.asia/story/cado-security-unmasks-cerber-ransomware-threat-to-confluence-server
If you have any questions, please contact LBT's Sales Engineer.
Comments