A flurry of warnings about a dangerous vulnerability in Atlassian’s Confluence software were issued ahead of the Labor Day holiday in the US, with alerts from the FBI, CISA and the US Cyber Command highlighting the dangers of leaving the security flaw unpatched over the weekend.
Experts told Tech Monitor this represents a sea change in recommended cybersecurity best practice, with the need to prevent attacks trumping concerns about applying patches during periods where IT support is lacking. The change comes following a spate of attacks which have coincided with holidays over the past nine months.
What is the Atlassian Confluence vulnerability?
Atlassian alerted its customers to a vulnerability in its on-premises Confluence server and data centre products late last month. Confluence is a widely used Wiki service for enterprise organisations, and the vulnerability allows cybercriminals to execute a remote code giving them the power to take control over the system and to move inside the network, explains Oded Vanunu, head of products vulnerability research at security company Check Point Software. “As Atlassian Confluence has a huge install base, it gives criminals an open window to attack many organisations that use this technology on their infrastructure, which is perfect for hacking groups,” he says.
Threat intelligence company Bad Packets announced last week that it has already “detected mass scanning and exploit activity” against Confluence from hosts in China, Russia, the US, Hong Kong, Romania, Brazil and Nepal. While these are assumed to be for crypto mining purposes, a ransomware attack is inevitable, says Toby Lewis, global head of threat analysis at security company Darktrace: “Will we see attacks months from now that may involve this vulnerability? Yes. Just because it’s not taking place today or this weekend doesn’t mean we won’t see it in a few weeks or months.”
Why is the timing of these warnings important?
Cybersecurity companies and law enforcement agencies found the timing of this vulnerability alarming, as many of the most high-profile recent ransomware attacks, such as the Colonial Pipeline breach and the attack at meat company JBS, have taken place during holiday periods when criminals consider organisations vulnerable. “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already – this cannot wait til after the weekend” tweeted the US Cyber Command in a rare intervention on Friday. CISA and the FBI issued a joint warning to “urge organisations to remain vigilant to ransomware threats on holidays, including this Labor Day” at the end of last month.
Such clear warnings to patch vulnerabilities before a national holiday represent a “really interesting change” in cybersecurity best practice, explains Lewis. “I think you’re seeing a change in narrative that effectively tells organisations, ‘if you leave it until after the weekend, you’re going to leave yourselves open and vulnerable over the course of that weekend’,” he says.
If you deploy it might become a support issue, but if you don’t deploy it, it will become a security issue.
Toby Lewis, Darktrace
Traditionally many IT teams have a ‘change freeze’ process that kicks in before a weekend or national holiday to prevent new patches being applied in a period where there is no support on hand to deal with any problems. But Lewis says “I think what we’re now seeing from the likes of the CIA and FBI and others is a narrative which says ‘if you deploy it might become a support issue, but if you don’t deploy it, it will become a security issue’.”
This change will require organisations to have robust patching processes so that critical updates can be applied in a timely manner, says Javvad Malik, security awareness advocate at KnowBe4, a security training company. “Failing that, processes should be put in place that can protect the affected systems in other ways or take them offline for a period of time until such a time that the patch can be safely applied.”