Cybercriminals are abusing a zero-day vulnerability, tracked as CVE-2022-26134, in Atlassian Confluence. The attacks involve installing web shells to achieve remote code execution.

The abuse of zero-day

Recently, Atlassian has released a security advisory providing details regarding the zero-day flaw. The flaw is an unauthenticated RCE vulnerability impacting both Confluence Data Center and Confluence Server.
  • The vulnerability has been confirmed by Atlassian in Confluence Server 7.18.0 version and Confluence Server and Data Center 7.4.0 and higher.
  • Multiple China-based attackers are believed to be using these exploits.

Additionally, the CISA has added this zero-day to its 'Known Exploited Vulnerabilities Catalog' and urged federal agencies to block all internet traffic to their Confluence servers from June 3.

More insights

  • Researchers explained that the vulnerability was discovered over the Memorial Day weekend while performing incident response. They reproduced the exploit and disclosed it to Atlassian on May 31.
  • The attackers used BEHINDER to install a simple file upload tool as backups and a China Chopper web shell. 
  • Additionally, they dumped user tables of the Confluence server, wrote extra web shells, and made changes to access logs for avoiding detection.

The solution

No patch is available right now but a fix has been suggested by Atlassian. Firstly, users can restrict access to Confluence Server and Data Center instances from the internet, and the second alternative is to disable Confluence Server and Data Center instances.

Cyware Publisher

Publisher

Cyware