Sign up for our newsletter
Technology / Cybersecurity

Patches can’t wait: Confluence warnings mark change in security best practice

IT teams are being told to prioritise prevention over support when it comes to patching, as hackers are increasingly targeting holiday periods.

A flurry of warnings about a dangerous vulnerability in Atlassian’s Confluence software were issued ahead of the Labor Day holiday in the US, with alerts from the FBI, CISA and the US Cyber Command highlighting the dangers of leaving the security flaw unpatched over the weekend.

Experts told Tech Monitor this represents a sea change in recommended cybersecurity best practice, with the need to prevent attacks trumping concerns about applying patches during periods where IT support is lacking. The change comes following a spate of attacks which have coincided with holidays over the past nine months.

What is the Atlassian Confluence vulnerability?

Atlassian alerted its customers to a vulnerability in its on-premises Confluence server and data centre products late last month. Confluence is a widely used Wiki service for enterprise organisations, and the vulnerability allows cybercriminals to execute a remote code giving them the power to take control over the system and to move inside the network, explains Oded Vanunu, head of products vulnerability research at security company Check Point Software. “As Atlassian Confluence has a huge install base, it gives criminals an open window to attack many organisations that use this technology on their infrastructure, which is perfect for hacking groups,” he says.

Atlassian vulnerability

Several warnings have been issued about a vulnerability in Atlassian’s Confluence software. (Photo by William West/Getty Images)

Threat intelligence company Bad Packets announced last week that it has already “detected mass scanning and exploit activity” against Confluence from hosts in China, Russia, the US, Hong Kong, Romania, Brazil and Nepal. While these are assumed to be for crypto mining purposes, a ransomware attack is inevitable, says Toby Lewis, global head of threat analysis at security company Darktrace: “Will we see attacks months from now that may involve this vulnerability? Yes. Just because it’s not taking place today or this weekend doesn’t mean we won’t see it in a few weeks or months.”

White papers from our partners

Why is the timing of these warnings important?

Cybersecurity companies and law enforcement agencies found the timing of this vulnerability alarming, as many of the most high-profile recent ransomware attacks, such as the Colonial Pipeline breach and the attack at meat company JBS, have taken place during holiday periods when criminals consider organisations vulnerable. “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already – this cannot wait til after the weekend” tweeted the US Cyber Command in a rare intervention on Friday. CISA and the FBI issued a joint warning to “urge organisations to remain vigilant to ransomware threats on holidays, including this Labor Day” at the end of last month. 

Such clear warnings to patch vulnerabilities before a national holiday represent a “really interesting change” in cybersecurity best practice, explains Lewis. “I think you’re seeing a change in narrative that effectively tells organisations, ‘if you leave it until after the weekend, you’re going to leave yourselves open and vulnerable over the course of that weekend’,” he says.

If you deploy it might become a support issue, but if you don’t deploy it, it will become a security issue.
Toby Lewis, Darktrace

Traditionally many IT teams have a ‘change freeze’ process that kicks in before a weekend or national holiday to prevent new patches being applied in a period where there is no support on hand to deal with any problems. But Lewis says “I think what we’re now seeing from the likes of the CIA and FBI and others is a narrative which says ‘if you deploy it might become a support issue, but if you don’t deploy it, it will become a security issue’.”

This change will require organisations to have robust patching processes so that critical updates can be applied in a timely manner, says Javvad Malik, security awareness advocate at KnowBe4, a security training company. “Failing that, processes should be put in place that can protect the affected systems in other ways or take them offline for a period of time until such a time that the patch can be safely applied.” 

Claudia Glover

Reporter

Claudia Glover is a staff reporter on Tech Monitor.