Exploitation of Atlassian Confluence zero-day surges fifteen-fold in 24 hours

Atlassian logo on a smartphone, with the logo on a wall in the background too
(Image credit: Getty Images)

The exploitation of a critical-severity remote code execution (RCE) zero-day flaw in Atlassian Confluence Server and Data Center has increased by nearly fifteen times in the two days since active attacks were first registered.

Experts at internet security firm GreyNoise said the number of unique IP addresses launching attacks using the RCE flaw, tracked as CVE-2022-26134, has risen from 28 to 400 since Friday when exploitation began.

Cyber security company Volexity first reported that it discovered the RCE vulnerability over the US’ Memorial Day weekend (28-30 May) after noticing suspicious activity on two internet-facing web servers.

It was assigned a CVE tracking code on 31 May and Volexity published its findings last week, with a clear rise in active exploits on current versions following a day after, on 3 June.

Atlassian released a patch for the unauthenticated RCE flaw on Friday, urging all customers to upgrade to the latest version to avoid being targeted by attackers with access to proof-of-concept (PoC) exploit code.

According to Atlassian, the company has released the following new Confluence versions that all contain a fix for the security issue:

  • 7.4.17
  • 7.13.7
  • 7.14.3
  • 7.15.2
  • 7.16.4
  • 7.17.4
  • 7.18.1

Admins who are unable to upgrade to the latest versions of Confluence are advised to mitigate the flaw with a workaround which involves updating several specific .JAR files. More information and full instructions can be found via Atlassian’s security advisory.

An analysis of the situation by Unit 42 revealed nearly 20,00 Confluence servers found to be potentially affected by the exploit as of last week, with most of the victims residing either in the US, German, Russia, and China.

It also said there was evidence of early exploitation as far back as 26 May with targets across various industries.

Volexity said in its initial analysis that early exploits seemed to be conducted by multiple threat actors likely to be operating out of China.

Deconstructing the zero-day

Volexity’s initial analysis of the zero-day’s exploitation revealed that attackers were using the vulnerability to drop several malicious implants in the form of web shells on victims’ environments.

Attackers were using the open-source Behinder web server implant previously linked to Chinese threat actors by Avast.

“Behinder provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with Meterpreter and Cobalt Strike,” said Volexity. “This method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out.


Unified endpoint management solutions 2021-22

Analysing the UEM landscape


“Once Behinder was deployed, the attacker used the in-memory web shell to deploy two additional web shells to disk: China Chopper and a custom file upload shell.”

The researchers noted that China Chopper was installed but was rarely accessed, according to web logs, leading them to the conclusion that it was installed simply as a means of secondary access.

Delving further into the web logs, Volexity also discovered the commonly executed commands made by the attackers once they had access.

Among these were reconnaissance commands - checking the operating system version and examining the contents of password files.

Attackers then looked for user tables from the Confluence database and dumped them before attempting to deploy anti-analysis tactics by altering web logs to remove evidence of exploitation.

They also wrote additional web shells to the victims’ disks, but not all of these could be recovered, Volexity said.

Specific details regarding how the exploit takes place have not been made public, but Tenable said that past attacks on Atlassian Confluence have involved sending specially crafted requests to vulnerable Confluence Server or Data Center instances to execute code and fully take over the system.

One of the most recent examples of attacks on Confluence came less than a year ago when the US Cyber Command warned of a highly exploitable flaw that led to code execution.

That security incident came three months after a separate one-click flaw was found to affect Atlassian Jira, the company’s bug-tracking and project management tool, that allowed hackers to steal sensitive information.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.