Last week, Atlassian closed a critical security vulnerability with updated software packages in Confluence Server and Data Center. After details of the vulnerability became known a short time later, the manufacturer is now warning that attackers are actively attacking it.
Advertisement
The Atlassian Security Notice has now undergone several updates. On Thursday last week, the company added: “As part of Atlassian’s ongoing monitoring of this vulnerability, we have observed that critical information about the vulnerability has been published, increasing the risk of abuse.” On Friday there was an indication that a customer had reported an attack on it. On Monday, Atlassian has now increased the severity of the vulnerability CVE-2023-22518 from CVSS 9.1 to CVSS 10.0.
Atlassian Confluence Leak: Multiple Reports of Ransomware Attacks
The developers added: “We have seen multiple active exploits and reports of malicious actors deploying ransomware. We have upgraded CVE-2023-22518 from CVSS 9.1 to 10, the highest critical rating, because the scope of the attack has changed.” . Malicious plug-ins such as web.shell.Plugin as well as encrypted or destroyed files discovered.
The vulnerability allows attackers to reset Confluence and create administrator access for a Confluence instance without prior login. The instance can therefore be completely compromised. Publicly accessible Confluence data center and server instances face this critical threat, which IT managers should take immediate action to address. In addition to updated software packages, there is also guidance for temporary countermeasures that administrators should use if a software update is currently not possible. Atlassian lists them in an FAQ, among other things to the vulnerability. There are also indications of a successful attack (Indicators of Compromise, IOCs).
The IT security researchers from Rapid7 also report attacks to the security gap. Among other things, they name IP addresses of attacking systems and processes and scripts started on infected machines. They also explain that the ransomware was Cerber, which was installed on abused Confluence servers. The malware has been active since around 2016 and at that time, a variant read out the blackmail message via voice output on infected Windows systems.
(dmk)