Security news that informs and inspires

Attackers Exploit Confluence Bug to Drop Ransomware, Webshells


More than a week after a critical vulnerability in the Atlassian Confluence Server and Data Center was disclosed and patches issued, adversaries including nation-state actors are continuing an onslaught of exploitation attempts against the flaw in order to deploy web shells, botnets, cryptocurrency mining malware and ransomware.

Microsoft said that it has observed the flaw (CVE-2022-26134) recently being exploited by a known China-based ransomware operator, tracked as DEV-0401, which has previously deployed ransomware files like LockFile, AtomSilo and Rook against victims. The threat actor is known for exploiting Internet-facing systems that run vulnerable versions of Confluence (such as the known Confluence OGNL injection flaw tied to CVE-2021-26084) as well as targeting other vulnerabilities including the ProxyShell flaw in Microsoft Exchange servers (CVE-2021-34473).

“In many cases impacted devices have been observed with multiple disparate instances of malicious activity, including extensive device and domain discovery, and the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware,” according to Microsoft on Friday.

The company warned users of impacted versions of the product to upgrade to the patched version or apply the recommended mitigations. Microsoft also noted that attackers are exploiting the vulnerability in order to deploy Cerber2021 (also known as CerberImposter), which is a novice ransomware family that emerged in the first quarter of 2022.

The vulnerability in Confluence, a collaborative tool used widely in enterprises to build internal wikis and knowledge bases, was first uncovered in the beginning of June after researchers discovered it being used in active attacks by multiple threat actors, which were aiming to achieve remote code execution. As part of these initial attacks, attackers exploited compromised servers in order to install webshells on them and finally deploy a known implant called Behinder. Researchers with Volexity, who discovered the activity, did not attribute this initial intrusion, but did state that the attack likely stemmed from China.

Since then, attacks have become more widespread, due in part to the release of proof-of-concept exploits online. Dray Agha, ThreatOps Analyst at Huntress, said that when querying Huntress telemetry a day after CVE-2022-26134 was shared, researchers identified 50 to 60 vulnerable Confluence servers. Many companies have not patched their systems simply because they have forgotten about them, said Agha.

“There are a surprising number of Confluence servers spun up that organizations had always intended to decommission but are still out there, exposed to the big bad internet,” said Agha. “Initially, CVE-2022-26134 was problematic as there was no patch available… However, now a patch is available and has been for a while, there is no evidence that patching induces further complications.”