A steep rise in attacks exploiting a vulnerability in Atlassian’s Confluence software has been spotted in recent days. Powerful botnet Dark IoT is among those taking advantage of the flaw in Confluence, which businesses use to collaborate and share data within their teams. Analysts say the volume of attacks is reminiscent of the traffic seen around the Log4J vulnerability which caused chaos for IT departments last year.
Atlassian published a security advisory last week for the vulnerability, now classified as CVE-2022-6134, stating that it allows an unauthenticated user to execute a remote code attack on its Confluence Server or Data Centre products. According to the most recent update from Atlassian, 31 versions of its products have been affected but only five have been fixed.
Why is the Atlassian Confluence flaw dangerous?
Atlassian’s Confluence enables teams to collaborate in a secure environment. The company has more than 200,000 customers globally and millions of users. This means a breach can be highly problematic. “Taking over an account in such a collaborative platform means an ability to take over data that is not meant for unauthorised view,” says a blog from security vendor Check Point Research.
The US Cybersecurity Information Security Agency (CISA) has released its own Atlassian advisory, urgently requesting that companies update their Confluence software and servers. In the same advisory, CISA announced that it has ordered federal agencies to block all traffic to Confluence servers on their networks.
Atlassian suffered a similar problem in September when a flaw in Confluence led to an urgent warning for IT teams to patch their systems ahead of the Labor Day holiday weekend in the US.
Who is exploiting the Atlassian Confluence vulnerability?
Many cybercriminals are already trying to exploit the vulnerability to deploy malware and botnets. Cybersecurity company GreyNoise Intelligence says that, since Atlassian released its security advisory on June 3, 1,298 IP addresses have attempted to exploit it.
This growth in attempted attacks "makes this vulnerability in line with Apache Log4J exploitation traffic," GreyNoise analysts argue. That vulnerability in a commonly used open source java library led to thousands of organisations around the world being attacked when it was discovered last year.
Cybersecurity company Lacework Labs reports that malware families such as Kinsing, Hezb and the Dark.IoT botnet have all attempted to exploit the Confluence vulnerability. Operators of the Dark IoT botnet have used bugs like that found in Confluence to gain full control of unpatched routers in the past. "This botnet has constantly weaponised recently disclosed vulnerabilities to hijack devices as soon as details about security flaws are published online," said Fortinet researcher Joie Savio in December.
How to fix the Atlassian Confluence vulnerability
Atlassian has released patched versions of Confluence Server and Data Centre. Until a patched version of Confluence can be installed, several temporary mitigations can be applied. GreyNoise recommends updating specific versions of the product. "For organisations unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the CVE-2022-26134 issue by updating a specific set of .jar files identified in Confluence's security advisory."
GreyNoise has also identified a list of IP addresses attempting to exploit the Confluence vulnerability, which can be blocked while IT teams apply the patch and update their systems.