The Information Highway

The Information Highway

Font size: +
2 minutes reading time (398 words)

Active exploit of Atlassian Confluence

Threat update

This Cybersecurity Threat Advisory details the exploitation of the critical vulnerability CVE-2023-22518 in the Atlassian Confluence Data Center and Server. Attackers are deploying a Linux variant of Cerber (aka C3RB3R) ransomware. This allows unauthenticated attackers to reset Confluence and create administrator accounts, granting them complete control over affected systems.

Technical Detail and Additional Info

What is the threat?

CVE-2023-22518 is being exploited to gain a foothold on the targeted Atlassian Confluence application servers. This critical vulnerability allows an unauthenticated attacker to reset the application and establish a new administrator account.

Here is the exploit chain:

    1. Attacker leverages CVE-2023-22518 to reset Confluence and create an admin account.
    2. The attacker utilizes the newly acquired admin privileges to install the Effluence web shell plugin, granting remote code execution capabilities.
    3. The Effluence web shell is employed to download and execute the primary Cerber ransomware payload.

Why is it noteworthy?

The exploit targets a vulnerability in Atlassian's software, allowing remote attackers to execute arbitrary code on vulnerable systems. Threat actors have utilized this vulnerability to deploy a variant of the Cerber ransomware tailored for Linux environments. The exploit likely involves sending crafted requests to the affected Atlassian products, resulting in the execution of malicious code. 

What is the exposure or risk?

The vulnerability has a high CVSS score of 9.1 due to the ease of exploitation, remote access potential, and data encryption consequences. Organizations utilizing unpatched Atlassian Confluence Server or Data Center versions are at risk. There could be potential losses, including encrypted data, data exfiltration, operational disruption, financial losses due to downtime, and potential ransom demands. 

What are the recommendations?

 LBT Technology Group recommends the following actions to secure your Atlassian servers against this threat:

  • Update Confluence to the latest patched version as soon as possible.
  • Limit external access to Confluence servers, implementing firewalls and access control lists to mitigate unauthorized attempts.
  • Implement strong and unique passwords for all Confluence user accounts, particularly administrative accounts. Utilize multi-factor authentication (MFA) for an additional security layer.
  • Maintain regular and secure backups of critical data to facilitate recovery in case of a ransomware attack.
  • Educate employees on cybersecurity best practices, including phishing email identification and avoiding suspicious attachments or links.

References

Frontier Communications shuts down systems after c...
LayerSlider SQL injection vulnerability

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 18 November 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023