Since the zero day in Atlassian Confluence (CVE-2022-26134) was disclosed on June 2, there has been a steady stream of exploit attempts against it from sources around the world, but nearly half of those attempts have come from IP addresses inside Russia.
New data compiled by Barracuda shows that 45 percent of the exploit attempts since the beginning of June have come from Russia, while 25 percent have come from IP addresses in the United States. The type of payload used by attackers varies widely, with some simply attempting to see whether the target server is vulnerable, some trying to install DDoS bots, and others installing web shells for persistence and further exploitation. Some more serious attempts try to erase everything on the Confluence server, including the root directory. Some actors also are trying to install the Mirai bot on vulnerable servers.
The Confluence vulnerability is a remote unauthenticated code execution bug that researchers at Volexity discovered while investigating an intrusion. The company disclosed the bug to Atlassian, which issued an advisory and released updated software a few days later. Initial exploit attempts against the vulnerability involved attackers installing web shells, but it didn’t take long for ransomware groups to get involved. A week after the initial disclosure, Microsoft reported that DEV-0401, a Chinese ransomware operator, was exploiting the vulnerability to drop ransomware.
“In many cases impacted devices have been observed with multiple disparate instances of malicious activity, including extensive device and domain discovery, and the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware,” Microsoft said at the time.
Barracuda’s data shows that exploitation attempts have been relatively steady since early June, aside from a large spike on June 13.
“It was a general spike in scans for the vulnerability that occurred around that time frame. These were mostly automated mass scans that were looking for vulnerable applications. The public proofs of concept came out around the 5th of June, and it likely took attackers a few days to integrate it into their tools and start probing,” Barracuda researchers said.
“Worth noting that the 13th is a Monday, and we’ve in the past seen that a significant portion of attacks happen on work days during work hours, and this seems to follow that pattern.”
Exploit volume has returned back to prior levels. Many of the exploitation attempts, especially from U.S. IP addresses, are coming from cloud providers.