Attackers are exploiting a recently patched and critical severity Atlassian Confluence authentication bypass flaw to encrypt victims’ files using Cerber ransomware.
Described by Atlassian as an improper authorization vulnerability and tracked as CVE-2023-22518, this bug received a 9.1/10 severity rating, and it affects all versions of Confluence Data Center and Confluence Server software.
Atlassian released security updates last Tuesday, warning admins to patch all vulnerable instances immediately since the flaw could also be exploited to wipe data.
“As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker,” said Bala Sathiamurthy, Atlassian’s Chief Information Security Officer (CISO).
“There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances.”
The company issued a second warning days later, alerting customers that a proof-of-concept exploit was already available online, although it had no evidence of ongoing exploitation.
Those who can’t patch their systems were urged to apply mitigation measures, including backing up unpatched instances and blocking Internet access to unpatched servers until they’re secured.
There’s also the option to remove known attack vectors by modifying the /<confluence-install-dir>/confluence/WEB-INF/web.xml as explained in the advisory and restarting the vulnerable instances.
According to data from threat monitoring service ShadowServer, there are currently more than 24,000 Confluence instances exposed online, although there’s no way to tell how many are vulnerable to CVE-2023-22518 attacks.
Exploited in ransomware attacks
Atlassian updated their advisory on Friday to caution that threat actors were already targeting the flaw in attacks after the PoC exploit’s release.
“We received a customer report of an active exploit. Customers must take immediate action to protect their instances. If you already applied the patch, no further action is required,” the company said.
Over the weekend, threat intelligence company GreyNoise warned of CVE-2023-22518 widespread exploitation starting on Sunday, November 5.
Cybersecurity company Rapid7 also observed attacks against Internet-exposed Atlassian Confluence servers with exploits targeting the CVE-2023-22518 auth bypass and an older critical privilege escalation (CVE-2023-22515) previously exploited as a zero-day.
“As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment,” the company said.
“In multiple attack chains, Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server.”
CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory last month, urging network administrators to immediately secure Atlassian Confluence servers against the actively exploited CVE-2023-22515 privilege escalation bug, which has been under active exploitation since at least September 14, according to a Microsoft report.
Cerber ransomware (aka CerberImposter) was also deployed in attacks targeting Atlassian Confluence servers two years ago using a remote code execution vulnerability (CVE-2021-26084), a bug previously exploited to install crypto-miners.
Source: www.bleepingcomputer.com