A critical vulnerability in Atlassian’s Confluence enterprise server app that allows for malicious commands and reset servers is under active exploitation by threat actors in attacks that install ransomware, researchers said.
“Widespread exploitation of the CVE-2023-22518 authentication bypass vulnerability in Atlassian Confluence Server has begun, posing a risk of significant data loss,” Glenn Thorpe, senior director of security research and detection engineering at security firm GreyNoise, wrote on Mastodon on Sunday. “So far, the attacking IPs all include Ukraine in their target.”
He pointed to a page showing that between 12 am and 8 am on Sunday UTC (around 5 pm Saturday to 1 am Sunday Pacific Time), three different IP addresses began exploiting the critical vulnerability, which allows attackers to restore a database and execute malicious commands. The IPs have since stopped those attacks, but he said he suspected the exploits are continuing.
“Just one request is all it takes”
The DFIR Report published screenshots showing data it had collected when observing the attacks. One showed a demand from a ransomware group calling itself C3RB3R.
Other screenshots showed additional details, such as the post-exploit lateral movement to other parts of the victim’s network and the source of the attacks.
Security firms Rapid7 and Tenable, meanwhile, reported also seeing attacks commence over the weekend.
“As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment,” company researchers Daniel Lydon and Conor Quinn wrote. “We have confirmed that at least some of the exploits are targeting CVE-2023-22518, an improper authorization vulnerability affecting Confluence Data Center and Confluence Server.
The exploits Rapid7 observed were largely uniform in multiple environments, an indication of “mass exploitation” of on-premises Confluence servers. “In multiple attack chains, Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server.”
CVE-2023-22518 is what’s known as an improper authorization vulnerability and can be exploited on Internet-facing Confluence servers by sending specially devised requests to setup-restore endpoints. Confluence accounts hosted in Atlassian’s cloud environment are unaffected. Atlassian disclosed the vulnerability last Tuesday in a post. In it, Atlassian Chief Information Security Officer Bala Sathiamurthy warned that the vulnerability could result in “significant data loss if exploited” and said “customers must take immediate action to protect their instances.”
By Thursday, Atlassian updated the post to report that several analyses published in the intervening days provided “critical information about the vulnerability which increases risk of exploitation.” The update appeared to refer to posts such as this one, which included the results of an analysis that compared the vulnerable and patched versions to identify technical details. Another likely source came from a Mastodon post:
“Just one request is all it takes to reset the server and gain admin access,” it said and included a short video showing an exploit in action.
On Friday, Atlassian updated the post once more to report active exploitation was underway. “Customers must take immediate action to protect their instances,” the update reiterated.
Now that word is out that exploits are easy and effective, threat groups are likely racing to capitalize on the vulnerability before targets patch it. Any organization running an on-premises Confluence server that’s exposed to the Internet should patch immediately, and if that’s not possible, temporarily remove it from the Internet. Another more risky mitigation is to disable the following endpoints:
- /json/setup-restore.action
- /json/setup-restore-local.action
- /json/setup-restore-progress.action
Atlassian’s senior management has all but begged affected customers to patch for almost a week now. Vulnerable organizations ignore the advice at their own considerable peril.