Multiple botnets are abusing a critical RCE vulnerability to infect Linux servers. These servers are running Atlassian Confluence Server and Data Center.
The exploit
The exploitation of the flaw (CVE-2021-26084) in Confluence Server and Data Center allows unauthorized attackers to create new admin accounts, run commands, and take over the server remotely to backdoor publicly exposed servers.
- The botnets Kinsing, Hezb, and Dark[.]IoT have been identified to be targeting exposed Linux servers and delivering backdoors and cryptominers.
- After PoC exploits were published online, cybersecurity firm GreyNoise spotted an almost 10 times increase in active exploitation.
- In the beginning, only 23 IP addresses were trying to exploit the flaw, which has now surged to more than 200.
Another disclosed flaw
A week ago, another flaw was disclosed as a zero-day (CVE-2022-26134) in Atlassian Confluence by Volexity. Additionally, the CISA ordered federal agencies to restrict all internet traffic to Confluence servers on their networks.
- The researchers have revealed that multiple attackers from China are using exploits to target exposed servers unpatched against this RCE flaw to deploy web shells.
- Just one day after being disclosed publicly, the flaw was actively abused and Atlassian released security updates. Further, advised patching installations to prevent ongoing attacks.
Conclusion
Botnets are still abusing critical flaws in unpatched Confluence Server and Data Center. Thus, admins are suggested to update their servers as soon as possible to avoid infection. Further, Atlassian is suggesting upgrading to a fixed version of Confluence to stay protected.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_000041897948_Medium.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0f55_shutterstock_1283239612.jpg)
