US Cybercom says mass exploitation of Atlassian Confluence vulnerability ‘ongoing and expected to accelerate’
US Cybercom has sent out a public notice warning IT teams that CVE-2021-26084 — related to Atlassian Confluence — is actively being exploited.
“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend,” US Cybercom sent out in a tweet on Friday ahead of the Labor Day weekend holiday.
Atlassian released an advisory about the vulnerability on August 25, explaining that the “critical severity security vulnerability” was found in Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
“An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability,” the company said in its advisory.
They urged IT teams to upgrade to the latest Long Term Support release and said if that is not possible, there is a temporary workaround.
The vulnerability only affects on-premise servers, not those hosted in the cloud.
Multiple researchers have illustrated how the vulnerability can be exploited and released proof-of-concepts showing how it works.
Bad Packets said they “detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the US targeting Atlassian Confluence servers vulnerable to remote code execution.”
Censys explained in a blog post that over the last few days, their team has “seen a small shift in the number of vulnerable servers still running on the public internet.”
“On August 31st, Censys identified 13,596 vulnerable Confluence instances, while on September 02, that number has decreased to 11,689 vulnerable instances,” Censys said.
The company explained that Confluence is a “widely deployed Wiki service used primarily in collaborative corporate environments” and that in recent years it “has become the defacto standard for enterprise documentation over the last decade.”
“While the majority of users run the managed service, many companies opt to deploy the software on-prem. On August 25th, a vulnerability in Atlassian’s Confluence software was made public. A security researcher named SnowyOwl (Benny Jacob) found that an unauthenticated user could run arbitrary code by targeting HTML fields interpreted and rendered by the Object-Graph Navigation Language (OGNL),” the blog said.
“Yes, that is the same class of vulnerability used in the Equifax breach back in 2017. Just days before this vulnerability was made public, our historical data showed that the internet had over 14,637 exposed and vulnerable Confluence servers. Compare that to the current day, September 1st, where Censys identified 14,701 services that self-identified as a Confluence server, and of those, 13,596 ports and 12,876 individual IPv4 hosts are running an exploitable version of the software.”
“There is no way to put this lightly: this is bad. Initially, Atlassian stated this was only exploitable if a user had a valid account on the system; this was found to be incorrect and the advisory was updated today to reflect the new information. It’s only a matter of time before we start seeing active exploitation in the wild as there have already been working exploits found scattered about,” Censys added.
Yaniv Bar-Dayan, CEO of Vulcan Cyber, told ZDNet that security teams need to fight fire with fire as they work to prioritize and remediate this Confluence flaw.
Attackers shouldn’t be the first to automate scans for this exploit and hopefully IT security teams are ahead of their adversaries in proactively identifying the presence of this vulnerability and are taking steps to mitigate, Bar-Dayan said.
“Given the nature of Atlassian Confluence, there is a very real chance components of the platform are Internet exposed,” Bar-Dayan added.
“This means that attackers won’t need internal network access to exploit the RCE vulnerability. A patch is available and administrators should deploy it with extra haste while also considering other mitigating actions such as ensuring no public access is available to the Confluence Server and services.”
BleepingComputer confirmed on Thursday that some threat actors are installing cryptominers on both Windows and Linux Confluence servers using the vulnerability.