View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 9, 2022updated 05 Aug 2022 8:00am

Attacks exploiting the Atlassian Confluence vulnerability are ramping up

Cybercriminals are taking advantage of a flaw in the popular collaboration software.

By Claudia Glover

A steep rise in attacks exploiting a vulnerability in Atlassian’s Confluence software has been spotted in recent days. Powerful botnet Dark IoT is among those taking advantage of the flaw in Confluence, which businesses use to collaborate and share data within their teams. Analysts say the volume of attacks is reminiscent of the traffic seen around the Log4J vulnerability which caused chaos for IT departments last year.

Atlassian Confluence vulnerability should be treated with extreme prejudice. (Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)

Atlassian published a security advisory last week for the vulnerability, now classified as CVE-2022-6134, stating that it allows an unauthenticated user to execute a remote code attack on its Confluence Server or Data Centre products. According to the most recent update from Atlassian, 31 versions of its products have been affected but only five have been fixed.

Why is the Atlassian Confluence flaw dangerous?

Atlassian’s Confluence enables teams to collaborate in a secure environment. The company has more than 200,000 customers globally and millions of users. This means a breach can be highly problematic. “Taking over an account in such a collaborative platform means an ability to take over data that is not meant for unauthorised view,” says a blog from security vendor Check Point Research.

The US Cybersecurity Information Security Agency (CISA) has released its own Atlassian advisory, urgently requesting that companies update their Confluence software and servers. In the same advisory, CISA announced that it has ordered federal agencies to block all traffic to Confluence servers on their networks.

Atlassian suffered a similar problem in September when a flaw in Confluence led to an urgent warning for IT teams to patch their systems ahead of the Labor Day holiday weekend in the US.

Who is exploiting the Atlassian Confluence vulnerability?

Many cybercriminals are already trying to exploit the vulnerability to deploy malware and botnets. Cybersecurity company GreyNoise Intelligence says that, since Atlassian released its security advisory on June 3, 1,298 IP addresses have attempted to exploit it.

This growth in attempted attacks "makes this vulnerability in line with Apache Log4J exploitation traffic," GreyNoise analysts argue. That vulnerability in a commonly used open source java library led to thousands of organisations around the world being attacked when it was discovered last year.

Cybersecurity company Lacework Labs reports that malware families such as Kinsing, Hezb and the Dark.IoT botnet have all attempted to exploit the Confluence vulnerability. Operators of the Dark IoT botnet have used bugs like that found in Confluence to gain full control of unpatched routers in the past. "This botnet has constantly weaponised recently disclosed vulnerabilities to hijack devices as soon as details about security flaws are published online," said Fortinet researcher Joie Savio in December.

Content from our partners
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer
Financial management can be onerous for CFOs, but new tech is helping lighten the load

How to fix the Atlassian Confluence vulnerability

Atlassian has released patched versions of Confluence Server and Data Centre. Until a patched version of Confluence can be installed, several temporary mitigations can be applied. GreyNoise recommends updating specific versions of the product. "For organisations unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the CVE-2022-26134 issue by updating a specific set of .jar files identified in Confluence's security advisory."

GreyNoise has also identified a list of IP addresses attempting to exploit the Confluence vulnerability, which can be blocked while IT teams apply the patch and update their systems.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: Inside TrickBot - how to run a cybercrime empire

Topics in this article: ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.
THANK YOU