Unpatched 0-day Vulnerability in Atlassian Confluence is under Attack

Atlassian developers have warned that Confluence Server and Data Center are affected by a critical vulnerability (CVE-2022-26134) that several hacker groups are already using to install web shells. There are no patches for this fresh bug yet.

CVE-2022-26134 is reported to be an RCE vulnerability that does not require authentication to exploit. Atlassian says the vulnerability is confirmed in Confluence Server 7.18.0, and Confluence Server and Data Center 7.4.0 and above are also affected.

Since work on patches is still underway, the developers recommend either restricting access to Confluence Server and Data Center from the Internet, or temporarily disabling them altogether.

Volexity experts talked about attacks on this bug. They write that the bug was discovered at the beginning of this week, on May 31, and after conducting an investigation, Volexity was able to reproduce the exploit that hackers used against the latest version of Confluence Server and transfer all information to Atlassian.

During the attack studied by experts, the attackers installed BEHINDER, a JSP web shell that allows remote commands to be executed on a compromised server, on the victim’s system. The hackers then used BEHINDER to install the China Chopper web shell and a simple file upload tool.

According to the researchers, the attackers stole user tables from the Confluence server, introduced additional web shells, and changed the logs to hide traces of their presence.

Analysts believe that multiple attackers from China are behind these attacks and exploits.