Flash Notice: Critical Confluence Zero-Day Vulnerability Exploited by Attackers

June 6, 2022

Flash Notice Update 6/6/2022: CRITICAL CONFLUENCE ZERO-DAY VULNERABILITY EXPLOITED BY ATTACKERS

Over the weekend, a proof-of-concept (POC) for the critical Atlassian Confluence vulnerability (CVE-2022-26134) was released, sparking a slew of exploit attempts. According to the cyber security firm, GreyNoise, since the POC was released, the number of unique IP addresses with successful exploit attempts has gone from zero to 727.

Atlassian has since released a patch for the vulnerability - an OGNL injection vulnerability that allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. The patch addresses the following released versions:

7.4.17
7.13.7
7.14.3
7.15.2
7.16.4
7.17.4
7.18.1

Atlassian recommends that you patch all Confluence and Data Center servers immediately by following their instructions, which you can find here. If you are unable to patch your servers, Atlassian has issued mitigations for Confluence 7.0.0 through version 7.18.0, which you can find here.

________________________________________________________________________________________________________________________________

Overview Confluence Server Vulnerability

A critical unpatched remote code execution vulnerability was found in Atlassian’s Confluence Server and Data Center products. CVE-2022-26134 is actively being exploited by attackers and affects all supported versions of Confluence Server and Data Center products.

According to Atlassian, CVE-2022-26134 is a command injection vulnerability that allows attackers to achieve unauthenticated remote code execution on the server, while also allowing them to use the foothold to drop the Behinder webshell.

CVE-2022-26134 was detected by Volexity (an Australian software company) over Memorial Day weekend within the U.S. The vulnerability was found during an incident response investigation including two internet-facing web servers belonging to their customers. Volexity stated that after the attacker successfully exploits the Confluence Server systems, they deploy a memory copy of the Behinder implant – a popular web server implant with source code available on GitHub. The implant includes memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike.

Volexity further stated that in addition to deploying Behinder, the attacker added backup mechanisms to make sure they retained access to the Confluence server system just in case it was later cleaned up. Atlassian expects a fix to be available for customer download within 24 hours – end of day on June 3, 2022. In the interim, Atlassian is asking customers to work with their security teams to consider the best course of action, including:

- Restricting access to Confluence and Data Center instances from the internet.

- Shut down Confluence Server and Data Center Instances.

Atlassian is unsure of the earliest affected versions of Confluence Server and Data Center and there is no patch available. However, Atlassian stated they are making it their highest priority to issue a fix for the vulnerability.

If you can’t do the above, Atlassian recommends implementing their temporary mitigations. Researchers suspect that CVE-2022-26134 is being used by multiple threat actors whose country of origin is more than likely China. By exploiting the vulnerability, attackers can gain access to sensitive information on networks and systems. If your organization uses Atlassian’s Confluence Server and Data Center Products, please follow the below mitigations to keep your organization safe.

How Avertium is Protecting Our Customers:

Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium’s offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
Implement XDR
as a prevention method. Our XDR is a combination of monitoring software like LogRhythm, Microsoft Azure Sentinel, or AlienVault, combined with endpoint protection such as SentinelOne. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions.
Avertium offers Vulnerability Management to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
Avertium’s endpoint detection and response (EDR) ) is a platform of automated tools and capabilities that continuously monitor a system for suspicious activity within the security perimeter. These tools will recognize malicious activity from threat actors and will immediately alert the security team, which allows for rapid investigation and containment of attacks on endpoints.

Avertium's recommendations

General Recommendations

Block external access to internet-facing Confluence Server and Data Center systems.
Restrict access to Internet facing systems by implementing IP address access control lists.
Your Internet-facing web services should include robust monitoring capabilities and log retention policies.
Block all IoCs
Review alerts for any Confluence systems you have set up.
Patch immediately once Atlassian provides a fix for CVE-2022-26134.