The U.S. Cyber Command on Friday warned of ongoing mass
exploitation attempts in the wild targeting a now-patched critical
security vulnerability affecting Atlassian Confluence deployments
that could be abused by unauthenticated attackers to take control
of a vulnerable system.
“Mass exploitation of Atlassian Confluence CVE-2021-26084[1]
is ongoing and expected to accelerate,” the Cyber National Mission
Force (CNMF) said[2]
in a tweet. The warning was also echoed by the U.S. Cybersecurity
and Infrastructure Security Agency (CISA[3]) and Atlassian itself[4]
in a series of independent advisories.
Bad Packets noted[5]
on Twitter it “detected mass scanning and exploit activity from
hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the
U.S. targeting Atlassian Confluence servers vulnerable to remote
code execution.”
Atlassian Confluence is a widely popular web-based documentation
platform that allows teams to create, collaborate, and organize on
different projects, offering a common platform to share information
in corporate environments. It counts several major companies,
including Audi, Docker, GoPro, Hubspot, LinkedIn, Morningstar,
NASA, The New York Times, and Twilio, among its customers.
The development[6]
comes days after the Australian company rolled out security updates
on August 25 for a OGNL[7]
(Object-Graph Navigation Language) injection flaw that, in specific
instances, could be exploited to execute arbitrary code on a
Confluence Server or Data Center instance.
Put differently, an adversary can leverage this weakness to
execute any command with the same permissions as the user running
the service, and worse, abuse the access to gain elevated
administrative permissions to stage further attacks against the
host using unpatched local vulnerabilities.
The flaw, which has been assigned the identifier CVE-2021-26084
and has a severity rating of 9.8 out of 10 on the CVSS scoring
system, impacts all versions prior to 6.13.23, from version 6.14.0
before 7.4.11, from version 7.5.0 before 7.11.6, and from version
7.12.0 before 7.12.5.
The issue has been addressed in the following versions —
- 6.13.23
- 7.4.11
- 7.11.6
- 7.12.5
- 7.13.0
In the days since the patches were issued, multiple threat
actors have seized the opportunity to capitalize on the flaw by
ensnaring potential victims to mass scan vulnerable Confluence
servers and install crypto miners[8]
after a proof-of-concept (PoC) exploit was publicly released[9]
earlier this week. Rahul Maini, one of the researchers involved,
described[10] the process of
developing the CVE-2021-26084 exploit as “relatively simpler than
expected.”
References
- ^
CVE-2021-26084
(nvd.nist.gov) - ^
said
(twitter.com) - ^
CISA
(us-cert.cisa.gov) - ^
Atlassian itself
(confluence.atlassian.com) - ^
noted
(twitter.com) - ^
development
(censys.io) - ^
OGNL
(en.wikipedia.org) - ^
install
crypto miners (www.bleepingcomputer.com) - ^
publicly
released (github.com) - ^
described
(twitter.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/WPYoGwOE-5g/us-cyber-command-warns-of-ongoing.html