View all newsletters
Receive our newsletter – data, insights and analysis delivered to you

Attacks exploiting the Atlassian Confluence vulnerability are ramping up

Cybercriminals are taking advantage of a flaw in the popular collaboration software.

By Claudia Glover

A steep rise in attacks exploiting a vulnerability in Atlassian’s Confluence software has been spotted in recent days. Powerful botnet Dark IoT is among those taking advantage of the flaw in Confluence, which businesses use to collaborate and share data within their teams. Analysts say the volume of attacks is reminiscent of the traffic seen around the Log4J vulnerability which caused chaos for IT departments last year.

Atlassian Confluence vulnerability should be treated with extreme prejudice. (Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)

Atlassian published a security advisory last week for the vulnerability, now classified as CVE-2022-6134, stating that it allows an unauthenticated user to execute a remote code attack on its Confluence Server or Data Centre products. According to the most recent update from Atlassian, 31 versions of its products have been affected but only five have been fixed.

Why is the Atlassian Confluence flaw dangerous?

Atlassian’s Confluence enables teams to collaborate in a secure environment. The company has more than 200,000 customers globally and millions of users. This means a breach can be highly problematic. “Taking over an account in such a collaborative platform means an ability to take over data that is not meant for unauthorised view,” says a blog from security vendor Check Point Research.

The US Cybersecurity Information Security Agency (CISA) has released its own Atlassian advisory, urgently requesting that companies update their Confluence software and servers. In the same advisory, CISA announced that it has ordered federal agencies to block all traffic to Confluence servers on their networks.

Atlassian suffered a similar problem in September when a flaw in Confluence led to an urgent warning for IT teams to patch their systems ahead of the Labor Day holiday weekend in the US.

Who is exploiting the Atlassian Confluence vulnerability?

Many cybercriminals are already trying to exploit the vulnerability to deploy malware and botnets. Cybersecurity company GreyNoise Intelligence says that, since Atlassian released its security advisory on June 3, 1,298 IP addresses have attempted to exploit it.

This growth in attempted attacks "makes this vulnerability in line with Apache Log4J exploitation traffic," GreyNoise analysts argue. That vulnerability in a commonly used open source java library led to thousands of organisations around the world being attacked when it was discovered last year.

Content from our partners
Webinar - Top 3 Ways to Build Security into DevOps
Tech sector is making progress on diversity, but advances must accelerate
How to bolster finance functions and leverage tech to future-proof operational capabilities

Cybersecurity company Lacework Labs reports that malware families such as Kinsing, Hezb and the Dark.IoT botnet have all attempted to exploit the Confluence vulnerability. Operators of the Dark IoT botnet have used bugs like that found in Confluence to gain full control of unpatched routers in the past. "This botnet has constantly weaponised recently disclosed vulnerabilities to hijack devices as soon as details about security flaws are published online," said Fortinet researcher Joie Savio in December.

How to fix the Atlassian Confluence vulnerability

Atlassian has released patched versions of Confluence Server and Data Centre. Until a patched version of Confluence can be installed, several temporary mitigations can be applied. GreyNoise recommends updating specific versions of the product. "For organisations unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the CVE-2022-26134 issue by updating a specific set of .jar files identified in Confluence's security advisory."

GreyNoise has also identified a list of IP addresses attempting to exploit the Confluence vulnerability, which can be blocked while IT teams apply the patch and update their systems.

Read more: Inside TrickBot - how to run a cybercrime empire

Topics in this article: ,
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU