View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 7, 2023

Critical Atlassian Confluence flaw being targeted with Cerber ransomware

Tech teams should take emergency action to patch the vulnerability, which is being exploited by hackers.

By Matthew Gooding

A critical flaw in Atlassian’s Confluence online workspace platform is being exploited by hackers deploying Cerber ransomware, security researchers have warned.

Atlassian Confluence is under attack, with hackers using a new and critical flaw in the software. (Photo by monticello/Shutterstock)

Atlassian yesterday admitted the flaw, CVE-2023-22518, is being used in attacks, upgrading its CVSS rating, a ranking for the severity of cybersecurity problems, to the highest possible score of 10.

Atlassian Confluence under attack

Security company Rapid7 says its team has “observed exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment”. These attacks are targeting CVE-2023-22518, which was disclosed by Atlassian on 31 October, as well as a previously highlighted vulnerability, CVE-2023-22515, which was uncovered at the start of October.

Data from the Greynoise platform, which tracks IP addresses exploiting known vulnerabilities, shows that attempts to exploit the CVE-2023-22518 problem have come from servers in the US, Russia, Hong Kong and France.

CVE-2023-22518 is an improper authorisation flaw affecting Confluence Data Center and Confluence Server products. It gives attackers administrator privileges for vulnerable internet-facing Atlassian Confluence servers, allowing them to access these servers and fetch a malicious payload hosted elsewhere. This can then be used to launch the ransomware on the compromised system.

Rapid7 says it has noted attacks escalating since Sunday 5 November with infected systems being hit by Cerber ransomware. One of the most common ransomware strains, Cerber is offered by its developers on a ransomware-as-a-service model, meaning cybercriminals from other gangs can buy and deploy it.

In its update yesterday, Atlassian said it had changed the vulnerability’s CVSS score having spotted a “change in the scope of the attack”. The company’s security team said: “We observed several active exploits and reports of threat actors using ransomware.”

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

How to patch the Atlassian Confluence flaw

Atlassian provides a suite of productivity tools, including Confluence, which are widely used across large businesses. As of last year, it had over 242,000 customers with ten million monthly active users. Because of this flaws in its software can be a gateway to launch lucrative supply chain attacks into user systems, and it has become a popular target for hackers. Last year a string of critical vulnerabilities in its products caused issues for the vendor’s clients.

This current problem affects all versions of Confluence Data Centre and Confluence Server, but Atlassian Cloud users are not affected by this vulnerability. “If your Confluence site is accessed via an domain, it is hosted by Atlassian and is not vulnerable to this issue,” Rapid7 researchers Daniel Lydon and Conor Quinn said in a blog post.

Patches have been released by Atlassian and can be downloaded from its website. Rapid7’s Lydon and Quinn added: “Customers should update to a fixed version of Confluence on an emergency basis, restricting external access to the application at least until they are able to remediate. If you are unable to restrict access to the application or update on an emergency basis, Atlassian’s advisory includes interim measures you can take to mitigate risk from known attack vectors.”

Read more: Boeing confirms ‘cyber incident’ after LockBit attack claim

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.