IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Exploitation of Atlassian Confluence zero-day surges fifteen-fold in 24 hours

The zero-day code execution vulnerability was discovered last week and cyber attackers are already capitalising on the proof-of-concept code

The exploitation of a critical-severity remote code execution (RCE) zero-day flaw in Atlassian Confluence Server and Data Center has increased by nearly fifteen times in the two days since active attacks were first registered.

Experts at internet security firm GreyNoise said the number of unique IP addresses launching attacks using the RCE flaw, tracked as CVE-2022-26134, has risen from 28 to 400 since Friday when exploitation began.

Cyber security company Volexity first reported that it discovered the RCE vulnerability over the US’ Memorial Day weekend (28-30 May) after noticing suspicious activity on two internet-facing web servers.

It was assigned a CVE tracking code on 31 May and Volexity published its findings last week, with a clear rise in active exploits on current versions following a day after, on 3 June.

Atlassian released a patch for the unauthenticated RCE flaw on Friday, urging all customers to upgrade to the latest version to avoid being targeted by attackers with access to proof-of-concept (PoC) exploit code.

According to Atlassian, the company has released the following new Confluence versions that all contain a fix for the security issue:

  • 7.4.17
  • 7.13.7
  • 7.14.3
  • 7.15.2
  • 7.16.4
  • 7.17.4
  • 7.18.1

Admins who are unable to upgrade to the latest versions of Confluence are advised to mitigate the flaw with a workaround which involves updating several specific .JAR files. More information and full instructions can be found via Atlassian’s security advisory.

An analysis of the situation by Unit 42 revealed nearly 20,00 Confluence servers found to be potentially affected by the exploit as of last week, with most of the victims residing either in the US, German, Russia, and China.

It also said there was evidence of early exploitation as far back as 26 May with targets across various industries.

Volexity said in its initial analysis that early exploits seemed to be conducted by multiple threat actors likely to be operating out of China.

Deconstructing the zero-day

Volexity’s initial analysis of the zero-day’s exploitation revealed that attackers were using the vulnerability to drop several malicious implants in the form of web shells on victims’ environments.

Attackers were using the open-source Behinder web server implant previously linked to Chinese threat actors by Avast.

“Behinder provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with Meterpreter and Cobalt Strike,” said Volexity. “This method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out.

Related Resource

Unified endpoint management solutions 2021-22

Analysing the UEM landscape

Whitepaper cover with title on shaded pink/purple backgroundFree Download

“Once Behinder was deployed, the attacker used the in-memory web shell to deploy two additional web shells to disk: China Chopper and a custom file upload shell.”

The researchers noted that China Chopper was installed but was rarely accessed, according to web logs, leading them to the conclusion that it was installed simply as a means of secondary access.

Delving further into the web logs, Volexity also discovered the commonly executed commands made by the attackers once they had access.

Among these were reconnaissance commands - checking the operating system version and examining the contents of password files. 

Attackers then looked for user tables from the Confluence database and dumped them before attempting to deploy anti-analysis tactics by altering web logs to remove evidence of exploitation.

They also wrote additional web shells to the victims’ disks, but not all of these could be recovered, Volexity said.

Specific details regarding how the exploit takes place have not been made public, but Tenable said that past attacks on Atlassian Confluence have involved sending specially crafted requests to vulnerable Confluence Server or Data Center instances to execute code and fully take over the system.

One of the most recent examples of attacks on Confluence came less than a year ago when the US Cyber Command warned of a highly exploitable flaw that led to code execution. 

That security incident came three months after a separate one-click flaw was found to affect Atlassian Jira, the company’s bug-tracking and project management tool, that allowed hackers to steal sensitive information.

Featured Resources

The 3D skills report

Add 3D skills to your creative toolkits and play a sizeable role in the digital future

Free Download

The increasing need for environmental intelligence solutions

How sustainability has become a major business priority and is continuing to grow in importance

Free Download

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

Solve global challenges with machine learning

Tackling our word's hardest problems with ML

Free Download

Most Popular

Why energy efficient technology is key to a sustainable business

Why energy efficient technology is key to a sustainable business

16 Jan 2023
Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023
European partners expect growth this year, here are three ways they will achieve it

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023