top of page
  • WatchTower365

Security Advisory - Atlassian fixes Confluence zero-day widely exploited in attacks

Updated: Oct 12, 2023

Atlassian has issued security upgrades for Confluence Server and Data Center to address a serious zero-day vulnerability that has been regularly exploited in the wild to backdoor Internet-exposed machines.

The zero-day (CVE-2022-26134) affects all supported versions of Confluence Server and Data Center and permits remote code execution on unpatched systems by unauthenticated attackers.

Security Advisory - Atlassian fixes Confluence zero-day widely exploited in attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has added it to its 'Known Exploited Vulnerabilities Catalog,' mandating federal agencies to restrict all internet communication to Confluence servers on their networks since it was identified as an actively exploited issue.

Customers should update their appliances to versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1, which have a cure for this vulnerability.

"We strongly encourage upgrading to a fixed version of Confluence because the fixed versions of Confluence include multiple other security fixes," Atlassian noted.

Admins that are unable to upgrade their Confluence installations immediately can utilize a temporary workaround to mitigate the CVE-2022-26134 security flaw by upgrading specific JAR files on their Confluence servers, as comprehensive instructions can be found here.

Widely Exploited in Ongoing Attacks

During an incident response over Memorial Day weekend, cybersecurity firm Volexity uncovered the security flaw.

Volexity determined that the zero-day was leveraged to install a BEHINDDER JSP web shell, which let the threat actors to remotely execute commands on the vulnerable server.

To keep access to the hacked server, they also deployed a China Chopper web shell and a rudimentary file upload application as backups.

Multiple threat actors from China, according to Volexity threat experts, are leveraging CVE-2022-26134 exploits to get into Internet-exposed and unpatched Confluence servers.

The business also shared a list of IP addresses that were used in the assaults, as well as certain Yara rules for detecting web shell activity on potentially compromised Confluence servers.

"The industries/verticals targeted are extremely diverse. Volexity President Steven Adair disclosed today that "this is a free-for-all where the exploitation appears to be orchestrated."

"It is apparent that the exploit is in the hands of several threat organizations and individual actors, who have been employing it in a variety of ways."

"Some are sloppy, while others are more stealthy. The most frequent tasks we've observed so far are loading class files into memory and writing JSP shells."

After a proof-of-concept attack was widely disclosed online, a similar Atlassian Confluence remote code execution vulnerability was used in the field in September 2021 to install crypto-mining malware.

bottom of page