Spare a thought for admins running Atlassian Confluence Server or Data Centre on the weekend after a cyber security company discovered bad actors actively exploiting a previously undiscovered vulnerability in those Atlassian products.
On Friday morning, Steven Adair, President of security firm Volexity, tweeted about the vulnerability, saying it was “10/10 on the badness scale”.
“Get your servers off the internet now,” he warned. “We have seen active exploitation.”
Volexity found the security flaw while sifting through the aftermath of a compromised web server from one of its clients, according to a blog post.
Researchers backtracked through the breach and were able to reverse-engineer an exploit that worked on up-to-date versions of Confluence server.
The Volexity team then informed Atlassian about the issue before going public and a patch was soon released.
Cloud sites were not affected.
The vulnerability allows attackers to perform an OGNL injection which can give bad actors the ability to execute arbitrary code.
In the case of Volexity’s compromised client, this involved dropping subsequent webshells onto the Confluence servers and dumping server-side data.
We just posted about an unauthenticated RCE that works on all current version of Atlassian Confluence. There is no patch or work around available at this time. This is 10/10 on the badness scale. Get your servers off the internet now! We have seen active exploitation. #dfir https://t.co/kZ3LHyjoQ2— Steven Adair (@stevenadair) June 2, 2022
Shortly after the vulnerability was made public, proof-of-concept exploits were being shared online which led to a surge in the number of sites hosting exploit kits and automatically probing servers that hadn’t yet been taken offline.
Andrew Morris, founder and CEO of internet analysis company GreyNoise, kept track of the mass exploitation, noting that, over a 24-hour period, the number of unique IPs actively performing automated OGNL injections against Confluence servers went from just 23 to 400.
It shows how quickly news of a new way to gain a foothold into corporate systems can spread, making it hard for defenders to be adequately prepared.
Gavin Wilson, regional director of cyber security firm Forescout Technologies, said the Confluence vulnerability showed the importance of applying the latest patches quickly.
“Threat groups and individual actors are closely tracking vulnerability disclosures, and actively look to exploit them before patches are completed,” he said.
“The speed of attack, as well as the impact of targeted campaigns, makes staying ahead of vulnerabilities a huge challenge for all organisations.”
According to not-for-profit security organisation Shadow Server, around 4,000 Confluence servers were active and vulnerable as of Monday morning.
Most (1,900) of those belonged to US IP addresses, with fewer than 100 existing in Australia.
The Australian Cyber Security Centre said it is “not aware of successful exploitation” of the Confluence Server vulnerability locally.