Around this time last week, threat actors began tapping into a previously unknown vulnerability in Atlassian software that gave them near-total control over a small number of servers. As of Thursday, active exploits of the vulnerability have mushroomed, sparking a semi-organized frenzy among competing criminal groups.
“It’s clear that multiple threat groups and individual actors have the exploit and have used it in different ways,” said Steven Adair, president of Volexity, the security firm that discovered the zero-day vulnerability while responding to a customer’s violation over Memorial Day weekend. “Some are pretty sloppy and some are a little more stealthy.” His tweet came a day after his company released the report detailing the vulnerability.
It is clear that multiple threat groups and individual actors have the exploit and have used it in different ways. Some are pretty sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we’ve seen so far.
— Steven Adair (@stevenadair) June 3, 2022
Adair also said that the affected industry verticals are “pretty widespread. This is a free-for-all where exploitation appears to be coordinated.”
CVE-2022-26134, as the vulnerability is tracked, allows unauthenticated remote code execution on servers running all supported versions of Confluence Server and Confluence Data Center. In its advisory, Volexity called the vulnerability “dangerous and trivially exploited”. The vulnerability is also likely to be present in unsupported and long-term supported versions from security firm Rapid7 said.
Volexity researchers wrote:
Upon initial analysis of the exploit, Volexity found that it appeared similar to previous vulnerabilities that were also exploited to achieve remote code execution. These types of vulnerabilities are dangerous because as long as web requests can be made to the Confluence server system, attackers can execute commands without credentials and take full control of a vulnerable system. It should also be noted that CVE-2022-26134 appears to be another command injection vulnerability. This type of vulnerability is serious and requires significant attention.
Threat actors exploit the vulnerability to install the chopper webshell and likely other types of malware. We hope that vulnerable organizations have already patched or otherwise fixed this hole, and otherwise wish them the best of luck this weekend. Atlassian’s advice is here.
This article was previously published on Source link