Atlassian Confluence Servers Hacked via Zero-Day Vulnerability

Atlassian scrambling to patch Confluence Server zero-day exploited by multiple threat groups

Atlassian customers have been warned that hackers are exploiting a Confluence Server zero-day vulnerability. The flaw is currently unpatched and it appears to have been exploited by multiple threat groups.

According to Atlassian, Confluence Server and Data Center are affected by a critical vulnerability that can be exploited by an unauthenticated attacker for remote code execution. The vendor warned in an advisory published on Thursday that the security hole, tracked as CVE-2022-26134, has been exploited in the wild.

All supported versions of Confluence Server and Data Center are affected. Until a patch becomes available, users have been advised to prevent access to their Confluence servers from the internet, or simply disable these instances. Users can also reduce the risk of attacks by using a firewall to block URLs containing “${“.

Atlassian expects fixes to become available by the end of the day on Friday, June 3.

The vulnerability was reported to Atlassian by Volexity, whose employees discovered the zero-day during an incident response investigation. Details of the vulnerability were reported to the vendor on May 31.

The cybersecurity firm believes multiple threat actors are currently exploiting CVE-2022-26134 and noted that “the likely country of origin of these attackers is China.”

In a blog post published on Thursday, Volexity said the attacks it observed involved the delivery of JSP webshells, specifically a variant of China Chopper, as well as bash shells. These shells can give the attackers full control over the compromised Confluence server.

Once they gained access to Confluence systems, the attackers deployed an in-memory copy of BEHINDER, a popular web server implant whose source code is available on GitHub.

“BEHINDER provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike,” Volexity explained.

The company added, “Once BEHINDER was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk: China Chopper and a custom file upload shell.”

The hackers executed various commands on the victim’s systems, including for reconnaissance and accessing Confluence databases. They also attempted to alter web access logs to remove evidence of exploitation.

Volexity has released indicators of compromise (IoCs), as well as other information that can be useful to defenders.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also informed organizations about the flaw, which it added to its Known Exploited Vulnerabilities Catalog. Federal agencies have been instructed to immediately take steps to reduce the risk of exploitation.

Related: Atlassian Patches Critical Code Execution Vulnerability in Confluence

Related: Atlassian Patches Critical Authentication Bypass Vulnerability in Jira

Related: USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Ahead of Holiday Weekend