November 6, 2023 at 12:40PM
Attackers are exploiting a critical security flaw in Atlassian Confluence to encrypt files with Cerber ransomware. The flaw, tracked as CVE-2023-22518, received a severity rating of 9.1/10 and affects all versions of Confluence Data Center and Confluence Server software. Although there are currently no reports of active exploitation, Atlassian has issued warnings and urged customers to patch their systems or apply mitigation measures. Cybersecurity companies have observed attacks targeting the flaw, including ransomware deployments. There are over 24,000 exposed Confluence instances online, but it is unclear how many are vulnerable to the attacks.
Key takeaways from the meeting notes:
1. Attackers are exploiting a critical severity flaw in Atlassian Confluence to encrypt victims’ files using Cerber ransomware. The flaw, tracked as CVE-2023-22518, is an authentication bypass vulnerability that affects all versions of Confluence Data Center and Confluence Server software.
2. Atlassian has released security updates and urged admins to patch all vulnerable instances immediately. The flaw could also be used to wipe data.
3. There have been no reports of active exploitation, but a proof-of-concept exploit is already available online.
4. Mitigation measures include backing up unpatched instances, blocking Internet access to unpatched servers, and modifying the /confluence/WEB-INF/web.xml file.
5. According to ShadowServer, there are over 24,000 Confluence instances exposed online, although the number of vulnerable instances is unknown.
6. Threat actors have begun targeting the flaw in attacks, and there have been reports of ransomware deployment on compromised Confluence servers.
7. Rapid7 has observed exploitation of Confluence in multiple customer environments, including for ransomware deployment.
8. Network administrators were previously urged to secure Atlassian Confluence servers against an actively exploited privilege escalation bug (CVE-2023-22515).
9. Cerber ransomware was previously deployed in attacks against Atlassian Confluence servers using a different vulnerability (CVE-2021-26084).
Overall, immediate action is necessary to patch vulnerable Confluence instances and protect against potential exploitation and ransomware attacks.