Atlassian Confluence RCE Flaw Abused in A number of Cyberattack Campaigns

Atlassian Confluence

Opportunistic menace actors have been discovered actively exploiting a lately disclosed important safety flaw in Atlassian Confluence deployments throughout Home windows and Linux to deploy net shells that consequence within the execution of crypto miners on compromised methods.

Tracked as CVE-2021-26084 (CVSS rating: 9.8), the vulnerability considerations an OGNL (Object-Graph Navigation Language) injection flaw that may very well be exploited to attain arbitrary code execution on a Confluence Server or Knowledge Middle occasion.

“A distant attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a weak server,” researchers from Pattern Micro famous in a technical write-up detailing the weak point. “Profitable exploitation can lead to arbitrary code execution within the safety context of the affected server.”

Automatic GitHub Backups

The vulnerability, which resides within the Webwork module of Atlassian Confluence Server and Knowledge Middle, stems from an inadequate validation of user-supplied enter, inflicting the parser to judge rogue instructions injected throughout the OGNL expressions.

The in-the-wild assaults come after the U.S. Cyber Command warned of mass exploitation makes an attempt following the vulnerability’s public disclosure in late August this yr.

Atlassian Confluence

In one such assault noticed by Pattern Micro, z0Miner, a trojan, and cryptojacker, was discovered up to date to leverage the distant code execution (RCE) flaw to distribute next-stage payloads that act as a channel to keep up persistence and deploy cryptocurrency mining software program on the machines. Imperva, in an impartial evaluation, corroborated the findings, uncovering comparable intrusion makes an attempt that had been geared toward operating the XMRig cryptocurrency miner and different post-exploitation scripts.

Enterprise Password Management

Additionally detected by Imperva, Juniper, and Lacework is exploitation exercise performed by Muhstik, a China-linked botnet identified for its wormlike self-propagating functionality to contaminate Linux servers and IoT gadgets since no less than 2018.

Atlassian Confluence

Moreover, Palo Alto Networks’ Unit 42 menace intelligence staff stated it recognized and prevented assaults that had been orchestrated to add the client’s password information in addition to obtain malware-laced scripts that downloaded a miner, and even open an interactive reverse shell on the machine.

“As is commonly the case with RCE vulnerabilities, attackers will rush and exploit affected methods for their very own acquire,” Imperva researchers stated. “RCE vulnerabilities can simply enable menace actors to use affected methods for straightforward financial acquire by putting in crypto forex miners and masking their exercise, thus abusing the processing sources of the goal.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts