In a recent surge of cyber threats, attackers have seized upon a recently patched and critically severe authentication bypass flaw in Atlassian Confluence to deploy Cerber ransomware, encrypting victims’ files.
The vulnerability, identified by Atlassian as CVE-2023-22518, is categorized as an improper authorization vulnerability and holds a severity rating of 9.1/10. This flaw affects all versions of Confluence Data Center and Confluence Server software.
Atlassian’s Chief Information Security Officer (CISO), emphasized the potential for significant data loss if exploited by an unauthenticated attacker. Although there are currently no reports of active exploitation, Atlassian issued a warning, urging customers to take immediate action to safeguard their instances.
The urgency escalated when a proof-of-concept exploit surfaced online, prompting Atlassian to advise users on mitigation measures. For those unable to immediately patch their systems, recommendations include backing up unpatched instances and blocking Internet access to vulnerable servers until security measures are implemented. Additional steps involve modifying the //confluence/WEB-INF/web.xml to eliminate known attack vectors, as outlined in the advisory.
As of now, more than 24,000 Confluence instances are exposed online, but the exact number vulnerable to CVE-2023-22518 attacks remains unknown. Atlassian updated their advisory, acknowledging reports of an active exploit and emphasizing the necessity for immediate protective measures.
Threat intelligence companies have detected widespread exploitation of CVE-2023-22518. They observed attacks targeting both the authentication bypass flaw and an older critical privilege escalation (CVE-2023-22515), previously exploited as a zero-day.
Furthermore, CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory, highlighting the urgency for network administrators to secure Atlassian Confluence servers against the actively exploited CVE-2023-22515 privilege escalation bug.
The situation is reminiscent of previous attacks on Atlassian Confluence servers, with Cerber ransomware being deployed two years ago using a remote code execution vulnerability (CVE-2021-26084). This historical context underscores the persistent and evolving nature of cyber threats targeting Confluence users.
To prevent falling victim to such attacks, users are strongly advised to promptly apply patches, implement mitigation measures, and stay informed about emerging threats. As an additional layer of defense, considering the use of robust cybersecurity solutions, such as Protergo, can enhance overall security posture and protect against evolving cyber threats.