Atlassian

Hackers are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134 to install web shells, with no fix available at this time.

Today, Atlassian released a security advisory disclosing that CVE-2022-26134 is a critical unauthenticated, remote code execution vulnerability tracked in both Confluence Server and Data Center.

Atlassian says that they confirmed the vulnerability in Confluence Server 7.18.0 and believe that Confluence Server and Data Center 7.4.0 and higher are also vulnerable.

The advisory warns that threat actors are actively exploiting Confluence Server 7.18.0.

As there are no patches available, Atlassian is telling customers to make their servers inaccessible by one of these two methods:

  • Restricting Confluence Server and Data Center instances from the internet.

  • Disabling Confluence Server and Data Center instances.

There are no other ways to mitigate this vulnerability.

Organizations that use Atlassian Cloud (accessible via atlassian.net) are unaffected by this vulnerability.

Atlassian is actively working on a patch and will release further information in their advisory when it becomes available.

The Cybersecurity and Infrastructure Security Agency (CISA) has added this zero-day to its 'Known Exploited Vulnerabilities Catalog'  and is requiring federal agencies to block all internet traffic to Confluence servers by tomorrow, June 3rd.

Update 6/3/22: Atlassian has released security updates that resolve the vulnerability and shared the following statement with BleepingComputer.

"On June 3, 2022, we updated the security advisory with the fix for Confluence Data Center and Server products. Please see the advisory for more information and instructions: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html"

Servers exploited for initial access

In a coordinated disclosure, cybersecurity firm Volexity explained that the vulnerability was discovered over the Memorial Day weekend while performing incident response.

After conducting the investigation, Volexity could reproduce the exploit against the latest Confluence Server version and disclosed it to Atlassian on May 31st.

"After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from an attacker launching an exploit to achieve remote code execution," explains a blog post by Volexity.

"Volexity was subsequently able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server."

In the breach analyzed by Volexity, threat actors installed BEHINDER, a JSP web shell that allows threat actors to execute commands on the compromised server remotely.

The threat actors then used BEHINDER to install the China Chopper web shell and a simple file upload tool as backups.

From Volexity's investigation, the threat actors dumped the user tables of the Confluence server, wrote additional webshells, and altered access logs to evade detection.

Volexity says that they believe the multiple threat actors from China are utilizing these exploits.

As there are no patches available, Volexity also recommends that Confluence admins disconnect their servers from the Internet until Atlassian releases a fix.

Volexity has released a list of IP addresses behind the attacks and Yara rules to identify web shell activity on Confluence servers.

Update 6/3/22: Added info on the released security updates

Related Articles:

CrushFTP warns users to patch exploited zero-day “immediately”

22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks

Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks

Palo Alto Networks fixes zero-day exploited to backdoor firewalls

Telegram fixes Windows app zero-day used to launch Python scripts