Unpatched 0-day Vulnerability in Atlassian Confluence is under Attack

Atlassian developers have warned that Confluence Server and Data Center are affected by a critical vulnerability (CVE-2022-26134) that several hacker groups are already using to install web shells. There are no patches for this fresh bug yet.

Let me also remind you that we wrote that Atlassian developers find critical vulnerabilities in Jira Service Desk, and also that Hackers attacked Codecov supply chain and compromise hundreds of networks.

CVE-2022-26134 is reported to be an RCE vulnerability that does not require authentication to exploit. Atlassian says the vulnerability is confirmed in Confluence Server 7.18.0, and Confluence Server and Data Center 7.4.0 and above are also affected.

Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels.developers write.

Since work on patches is still underway, the developers recommend either restricting access to Confluence Server and Data Center from the Internet, or temporarily disabling them altogether.

Volexity experts talked about attacks on this bug. They write that the bug was discovered at the beginning of this week, on May 31, and after conducting an investigation, Volexity was able to reproduce the exploit that hackers used against the latest version of Confluence Server and transfer all information to Atlassian.

During the attack studied by experts, the attackers installed BEHINDER, a JSP web shell that allows remote commands to be executed on a compromised server, on the victim’s system. The hackers then used BEHINDER to install the China Chopper web shell and a simple file upload tool.

BEHINDER provides attackers with powerful capabilities, including in-memory web shells, as well as built-in support for Meterpreter and Cobalt Strike.Volexity explained.

According to the researchers, the attackers stole user tables from the Confluence server, introduced additional web shells, and changed the logs to hide traces of their presence.

Analysts believe that multiple attackers from China are behind these attacks and exploits.

Volexity has already published a list of IP addresses associated with attacks, as well as Yara rules for detecting web shell activity on Confluence servers.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button