Atlassian Confluence RCE Flaw Abused in Multiple Cyberattack Campaigns

Opportunistic danger actors have been observed actively exploiting a not long ago disclosed crucial protection flaw in Atlassian Confluence deployments throughout Home windows and Linux to deploy internet shells that outcome in the execution of crypto miners on compromised methods.

Tracked as CVE-2021-26084 (CVSS score: 9.8), the vulnerability problems an OGNL (Item-Graph Navigation Language) injection flaw that could be exploited to reach arbitrary code execution on a Confluence Server or Details Middle occasion.

“A distant attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server,” researchers from Pattern Micro famous in a complex produce-up detailing the weak point. “Productive exploitation can end result in arbitrary code execution in the stability context of the impacted server.”

Automatic GitHub Backups

The vulnerability, which resides in the Webwork module of Atlassian Confluence Server and Information Heart, stems from an inadequate validation of user-supplied enter, creating the parser to consider rogue instructions injected in the OGNL expressions.

The in-the-wild attacks arrive right after the U.S. Cyber Command warned of mass exploitation attempts pursuing the vulnerability’s public disclosure in late August this calendar year.

Atlassian Confluence

In a person such attack observed by Craze Micro, z0Miner, a trojan, and cryptojacker, was located current to leverage the remote code execution (RCE) flaw to distribute subsequent-stage payloads that act as a channel to retain persistence and deploy cryptocurrency mining software package on the machines. Imperva, in an unbiased analysis, corroborated the conclusions, uncovering equivalent intrusion attempts that were being aimed at functioning the XMRig cryptocurrency miner and other submit-exploitation scripts.

Prevent Data Breaches

Also detected by Imperva, Juniper, and Lacework is exploitation action executed by Muhstik, a China-linked botnet acknowledged for its wormlike self-propagating capability to infect Linux servers and IoT units due to the fact at the very least 2018.

Atlassian Confluence

Additionally, Palo Alto Networks’ Device 42 menace intelligence staff reported it identified and prevented attacks that had been orchestrated to add the customer’s password information as properly as download malware-laced scripts that downloaded a miner, and even open an interactive reverse shell on the device.

“As is often the circumstance with RCE vulnerabilities, attackers will hurry and exploit afflicted techniques for their individual achieve,” Imperva researchers stated. “RCE vulnerabilities can conveniently allow risk actors to exploit influenced systems for uncomplicated monetary get by installing crypto currency miners and masking their action, so abusing the processing resources of the focus on.”

Fibo Quantum