Ransomware gangs are targeting rebuild and actively exploited remote code execution (RCE) easiness affecting Atlassian confluence server including data center sample for initial access to corporate networks.
If this exploitation happens successfully, this OGNL injection vulnerability (CVE-2022-26134) allows false attackers to take over unpatched servers for creating new admin accounts and execute arbitrary code.
Additionally, proof-of-concept deeds were also leaked online lowering the skill level required for exploitation even further after active exploitation.
The harshness of this security flaw and the already available deed didn’t go unrecognised with numerous botnets and threat actors actively manipulating it in the wild to extend crypto mining malware.
Ransomware is circling unpatched confluence server’s-
Initially,AvosLocker ransomware affiliates have already jumped on the wagon, according to research of Swiss cyber threat intelligence firm Prodaft.
Though there is no targeting and hacking into internet exposed confluence server’s which are unpatched.
‘By performing mass scans on various networks, AvosLocker threat actors search for vulnerable machines used to run Atlassian Confluence systems,’ Prodaft told BleepingComputer.
‘AvosLocker has already managed to infect multiple organizations from different parts of the globe; including but not limited to the United States, Europe, and Australia.’
Numerous victims that Cerber2021 Ransomware is targeting confluence instances unpatched against CVE-2022-26134.
Michael Gillespie, the ID-Ransomware creator informs BleepingComputer that submissions identified as CerberImposter include coded Confluence configuration files which is showing that Confluence instances are getting encrypted in the wild.
The manumut of CVE-2022-26134 POC exploits coincides with an increase in the number of successful Cerber ransomware attacks.
Even Microsoft has confirmed that a confluence server has been exploited to install Cerber2021.
Highly exploited in the Wild
Few days back, Cybersecurity firm Volexity revealed CVE-2022-26134 as an actively exploited zero-day bug.
However, CISA has ordered federal agencies to lighten the flaw by blocking all internet traffic to confluence servers in their network.
Additionally, Volexity revealed that some China-linked threat actors are probably using exploits for targeting vulnerable servers to position web shells.
Later, Atlassian revealed security updates and appealed to customers to cover their installation to stop attacks.
Atlassian mentioned, ‘We strongly recommend upgrading to a fixed version of Confluence as there are several other security fixes included in the fixed versions of Confluence’.
