U.S. Cyber Command Warns of Ongoing Attacks Exploiting Atlassian Confluence Flaw

Cyber Security

The U.S. Cyber Command on Friday warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments that could be abused by unauthenticated attackers to take control of a vulnerable system.

“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate,” the Cyber National Mission Force (CNMF) said in a tweet. The warning was also echoed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Atlassian itself in a series of independent advisories.

Bad Packets noted on Twitter it “detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the U.S. targeting Atlassian Confluence servers vulnerable to remote code execution.”

Atlassian Confluence is a widely popular web-based documentation platform that allows teams to create, collaborate, and organize on different projects, offering a common platform to share information in corporate environments. It counts several major companies, including Audi, Docker, GoPro, Hubspot, LinkedIn, Morningstar, NASA, The New York Times, and Twilio, among its customers.

The development comes days after the Australian company rolled out security updates on August 25 for a OGNL (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.

Put differently, an adversary can leverage this weakness to execute any command with the same permissions as the user running the service, and worse, abuse the access to gain elevated administrative permissions to stage further attacks against the host using unpatched local vulnerabilities.

The flaw, which has been assigned the identifier CVE-2021-26084 and has a severity rating of 9.8 out of 10 on the CVSS scoring system, impacts all versions prior to 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

The issue has been addressed in the following versions —

  • 6.13.23
  • 7.4.11
  • 7.11.6
  • 7.12.5
  • 7.13.0

In the days since the patches were issued, multiple threat actors have seized the opportunity to capitalize on the flaw by ensnaring potential victims to mass scan vulnerable Confluence servers and install crypto miners after a proof-of-concept (PoC) exploit was publicly released earlier this week. Rahul Maini, one of the researchers involved, described the process of developing the CVE-2021-26084 exploit as “relatively simpler than expected.”