Attackers are exploiting a not too long ago patched and demanding severity Atlassian Confluence authentication bypass flaw to encrypt victims’ recordsdata utilizing Cerber ransomware.
Described by Atlassian as an improper authorization vulnerability and tracked as CVE-2023-22518, this bug obtained a 9.1/10 severity score, and it impacts all variations of Confluence Information Heart and Confluence Server software program.
Atlassian launched safety updates final Tuesday, warning admins to patch all weak cases instantly for the reason that flaw is also exploited to wipe knowledge.
“As a part of our steady safety evaluation processes, we’ve found that Confluence Information Heart and Server prospects are weak to vital knowledge loss if exploited by an unauthenticated attacker,” stated Bala Sathiamurthy, Atlassian’s Chief Data Safety Officer (CISO).
“There aren’t any experiences of lively exploitation at the moment; nevertheless, prospects should take fast motion to guard their cases.”
The corporate issued a second warning days later, alerting prospects {that a} proof-of-concept exploit was already out there on-line, though it had no proof of ongoing exploitation.
Those that cannot patch their techniques have been urged to use mitigation measures, together with backing up unpatched cases and blocking Web entry to unpatched servers till they’re secured.
There’s additionally the choice to take away recognized assault vectors by modifying the /<confluence-install-dir>/confluence/WEB-INF/net.xml as defined within the advisory and restarting the weak cases.
Based on knowledge from menace monitoring service ShadowServer, there are at present greater than 24,000 Confluence cases uncovered on-line, though there is not any solution to inform what number of are weak to CVE-2023-22518 assaults.
Exploited in ransomware assaults
Atlassian up to date their advisory on Friday to warning that menace actors have been already focusing on the flaw in assaults after the PoC exploit’s launch.
“We obtained a buyer report of an lively exploit. Clients should take fast motion to guard their cases. In the event you already utilized the patch, no additional motion is required,” the corporate stated.
Over the weekend, menace intelligence firm GreyNoise warned of CVE-2023-22518 widespread exploitation beginning on Sunday, November 5.
Cybersecurity firm Rapid7 additionally noticed assaults in opposition to Web-exposed Atlassian Confluence servers with exploits focusing on the CVE-2023-22518 auth bypass and an older important privilege escalation (CVE-2023-22515) beforehand exploited as a zero-day.
“As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in a number of buyer environments, together with for ransomware deployment,” the corporate stated.
“In a number of assault chains, Rapid7 noticed post-exploitation command execution to obtain a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if profitable, led to single-system Cerber ransomware deployment on the exploited Confluence server.”
CISA, the FBI, and the Multi-State Data Sharing and Evaluation Heart (MS-ISAC) issued a joint advisory final month, urging community directors to instantly safe Atlassian Confluence servers in opposition to the actively exploited CVE-2023-22515 privilege escalation bug, which has been below lively exploitation since at the very least September 14, in keeping with a Microsoft report.
Cerber ransomware (aka CerberImposter) was additionally deployed in assaults focusing on Atlassian Confluence servers two years in the past utilizing a distant code execution vulnerability (CVE-2021-26084), a bug beforehand exploited to set up crypto-miners.
