A critical security flaw in Atlassian Confluence is now being majorly exploited

Hackers are using vulnerability to deploy ransomware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The abuse of a critical vulnerability recently discovered in Atlassian’s Confluence product is now “widespread”, according to multiple security researchers.

The vulnerability is tracked as CVE-2023-22518, an authentication bypass flaw affecting all versions of Confluence Data Center and Confluence Server. It carries a severity score of 9.1, and was initially thought to allow hackers to destroy sensitive data, but not steal it.

A week after Atlassian sounded the alarm, Glenn Thorpe, senior director of security research and detection engineering at security firm GreyNoise, said that he’d observed hackers going after Ukrainian targets. This past Sunday, three different IP addresses were executing malicious commands on targetendpoints. The attacks, he added, have since stopped.

C3RB3R and others

The DFIR Report, on the other hand, warned that a group under the name C3RB3R was using the flaw to somehow deliver ransomware to the targets. In other cases, hackers were using the vulnerability for lateral movement.

“As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment,” the company said.“We have confirmed that at least some of the exploits are targeting CVE-2023-22518, an improper authorization vulnerability affecting Confluence Data Center and Confluence Server.”

“In multiple attack chains, Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server.”

Atlassian addressed the vulnerability and patched Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Users are advised to apply the fix immediately. If, for any reason, they can’t do that, they should deploy mitigation measures, including backing up unpatched instances and blocking Internet access until they’re upgraded.

“Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch,” the company said.

ViaArsTechnica

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time