Hackers are taking advantage of an Atlassian Confluence zero-day vulnerability that has yet to be fixed.

News Sand DC
DedSec - Source: Watch Dogs Wiki

Atlassian has issued a security advisory on a severe unpatched remote code execution vulnerability that affects Confluence Server and Data Center products and is being actively abused in the field, according to the company.

The weakness, known as CVE-2022-26134, was discovered by cybersecurity firm Volexity, according to the Australian software business.

In an alert, Atlassian stated, "Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server."

"Confluence Server and Data Center do not have any stable versions available right now. Atlassian is working on a remedy as quickly as possible." The specifics of the security issue are being kept under wraps until a software fix is released.

Confluence Server and Data Center are impacted in all supported versions, and all versions of the corporate solution are likely to be susceptible. The earliest version that was impacted has yet to be determined.

In the absence of a remedy, Atlassian recommends that users either block Confluence Server and Data Center instances from accessing the internet or disable Confluence Server and Data Center instances entirely.

Volexity claimed it discovered the activity during the Memorial Day weekend in the United States as part of an incident response investigation in an independent statement.

The threat actor used the Atlassian zero-day exploit — a command injection vulnerability — to get unauthenticated remote code execution on the server, which allowed the threat actor to drop the Behinder web shell.

"Behinder gives attackers a lot of capability," the researchers claimed, "including memory-only web shells and built-in support for Meterpreter and Cobalt Strike interaction." "At the same time, it doesn't enable persistence, thus a reboot or service restart will completely wipe it off."

Following that, the web shell is believed to have been used to distribute two further web shells to disc, namely China Chopper and a bespoke file upload shell for exfiltrating arbitrary data to a remote server.

The news comes less than a year after another severe remote code execution issue in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) was actively exploited in the open to install bitcoin miners on vulnerable servers (CVE-2021-26084, CVSS score: 9.8).

"Attackers can get direct access to extremely sensitive systems and networks by exploiting this type of vulnerability," Volexity stated. "Furthermore, because they lack the necessary monitoring or logging capabilities, these systems might be difficult to analyze."

#buttons=(Accept !) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Accept !