A critical flaw in Atlassian’s Confluence online workspace platform is being exploited by hackers deploying Cerber ransomware, security researchers have warned.
Atlassian yesterday admitted the flaw, CVE-2023-22518, is being used in attacks, upgrading its CVSS rating, a ranking for the severity of cybersecurity problems, to the highest possible score of 10.
Atlassian Confluence under attack
Security company Rapid7 says its team has “observed exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment”. These attacks are targeting CVE-2023-22518, which was disclosed by Atlassian on 31 October, as well as a previously highlighted vulnerability, CVE-2023-22515, which was uncovered at the start of October.
Data from the Greynoise platform, which tracks IP addresses exploiting known vulnerabilities, shows that attempts to exploit the CVE-2023-22518 problem have come from servers in the US, Russia, Hong Kong and France.
CVE-2023-22518 is an improper authorisation flaw affecting Confluence Data Center and Confluence Server products. It gives attackers administrator privileges for vulnerable internet-facing Atlassian Confluence servers, allowing them to access these servers and fetch a malicious payload hosted elsewhere. This can then be used to launch the ransomware on the compromised system.
Rapid7 says it has noted attacks escalating since Sunday 5 November with infected systems being hit by Cerber ransomware. One of the most common ransomware strains, Cerber is offered by its developers on a ransomware-as-a-service model, meaning cybercriminals from other gangs can buy and deploy it.
In its update yesterday, Atlassian said it had changed the vulnerability’s CVSS score having spotted a “change in the scope of the attack”. The company’s security team said: “We observed several active exploits and reports of threat actors using ransomware.”
How to patch the Atlassian Confluence flaw
Atlassian provides a suite of productivity tools, including Confluence, which are widely used across large businesses. As of last year, it had over 242,000 customers with ten million monthly active users. Because of this flaws in its software can be a gateway to launch lucrative supply chain attacks into user systems, and it has become a popular target for hackers. Last year a string of critical vulnerabilities in its products caused issues for the vendor’s clients.
This current problem affects all versions of Confluence Data Centre and Confluence Server, but Atlassian Cloud users are not affected by this vulnerability. “If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue,” Rapid7 researchers Daniel Lydon and Conor Quinn said in a blog post.
Patches have been released by Atlassian and can be downloaded from its website. Rapid7’s Lydon and Quinn added: “Customers should update to a fixed version of Confluence on an emergency basis, restricting external access to the application at least until they are able to remediate. If you are unable to restrict access to the application or update on an emergency basis, Atlassian’s advisory includes interim measures you can take to mitigate risk from known attack vectors.”