Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Atlassian Confluence Servers Hacked via Zero-Day Vulnerability

Atlassian scrambling to patch Confluence Server zero-day exploited by multiple threat groups

Atlassian customers have been warned that hackers are exploiting a Confluence Server zero-day vulnerability. The flaw is currently unpatched and it appears to have been exploited by multiple threat groups.

Atlassian scrambling to patch Confluence Server zero-day exploited by multiple threat groups

Atlassian customers have been warned that hackers are exploiting a Confluence Server zero-day vulnerability. The flaw is currently unpatched and it appears to have been exploited by multiple threat groups.

According to Atlassian, Confluence Server and Data Center are affected by a critical vulnerability that can be exploited by an unauthenticated attacker for remote code execution. The vendor warned in an advisory published on Thursday that the security hole, tracked as CVE-2022-26134, has been exploited in the wild.

All supported versions of Confluence Server and Data Center are affected. Until a patch becomes available, users have been advised to prevent access to their Confluence servers from the internet, or simply disable these instances. Users can also reduce the risk of attacks by using a firewall to block URLs containing “${“.

Atlassian expects fixes to become available by the end of the day on Friday, June 3.

The vulnerability was reported to Atlassian by Volexity, whose employees discovered the zero-day during an incident response investigation. Details of the vulnerability were reported to the vendor on May 31.

The cybersecurity firm believes multiple threat actors are currently exploiting CVE-2022-26134 and noted that “the likely country of origin of these attackers is China.”

In a blog post published on Thursday, Volexity said the attacks it observed involved the delivery of JSP webshells, specifically a variant of China Chopper, as well as bash shells. These shells can give the attackers full control over the compromised Confluence server.

Once they gained access to Confluence systems, the attackers deployed an in-memory copy of BEHINDER, a popular web server implant whose source code is available on GitHub.

“BEHINDER provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike,” Volexity explained.

The company added, “Once BEHINDER was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk: China Chopper and a custom file upload shell.”

The hackers executed various commands on the victim’s systems, including for reconnaissance and accessing Confluence databases. They also attempted to alter web access logs to remove evidence of exploitation.

Volexity has released indicators of compromise (IoCs), as well as other information that can be useful to defenders.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also informed organizations about the flaw, which it added to its Known Exploited Vulnerabilities Catalog. Federal agencies have been instructed to immediately take steps to reduce the risk of exploitation.

Related: Atlassian Patches Critical Code Execution Vulnerability in Confluence

Related: Atlassian Patches Critical Authentication Bypass Vulnerability in Jira

Related: USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Ahead of Holiday Weekend

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.