About this time last week, threat actors quietly began tapping a previously unknown vulnerability in Atlassian software, giving them near-complete control over a small number of servers. Since Thursday, active exploits of the vulnerability have mushroomed, sparking a semi-organized frenzy among competing crime groups.
“It’s clear that multiple threat groups and individual actors have the exploit and have used it in different ways,” said Steven Adair, president of Volexity, the security firm that discovered the zero-day vulnerability while responding to a customer breach. the Memorial Day weekend. “Some are quite sloppy and others are a bit more stealthy.” his tweet came a day after his company released the report containing the vulnerability.
It is clear that multiple threat groups and individual actors have the exploit and have used it in different ways. Some are quite sloppy and others are a bit more stealthy. Loading class files into memory and writing JSP shells are the most popular we’ve seen so far.
— Steven Adair (@stevenadair) June 3, 2022
Adair also said the affected verticals are “quite widespread. This is a free-for-all where the exploitation seems coordinated.”
CVE-2022-26134, as the vulnerability is tracked, would allow unauthenticated remote code execution on servers running all supported versions of Confluence Server and Confluence Data Center. In its opinion, Volexity called the vulnerability “dangerous and trivially exploited”. The vulnerability is also likely to be present in unsupported and long-supported versions, security firm Rapid7 said.
Volexity researchers wrote:
Upon initial analysis of the exploit, Volexity noted that it resembled previous vulnerabilities that were also exploited to gain remote code execution. Vulnerabilities like this are dangerous because attackers can execute commands and gain full control over a vulnerable system without any credentials, as long as web requests can be made to the Confluence Server system. It should also be noted that CVE-2022-26134 appears to be another command injection vulnerability. This type of vulnerability is serious and requires a lot of attention.
Threat actors exploit the vulnerability to install the Chopper web shell and likely other types of malware. I hope vulnerable organizations have already closed or otherwise addressed this gap and, if not, wish them the best of luck this weekend. Atlassian’s advice is here.