iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Following its discovery of two vulnerabilities with Atlassian’s Confluence Data Center, Rapid7 has discovered cases of exploitation within both and has broken down the activity of the threat actors behind it.
The Australian software company’s Confluence Data Center is a platform that allows work teams to collaborate easily, with businesses able to customise the platform’s environment to suit their need with different apps, integrations and APIs.
The two vulnerabilities – CVE-2023-22515 and CVE-2023-22518 – would allow threat actors to have a detrimental impact on organisations using the data centre.
Prior to Rapid7’s latest report, Atlassian said that it had “evidence to suggest that a known nation-state actor is actively exploiting CVE-2023-22515”, which allows threat actors to create administrator accounts within the Confluence Data Center without authorisation.
Until now, there was no evidence to suggest that the other vulnerability, CVE-2023-22518, had been exploited by hackers.
The Australian Cyber Security Centre (ACSC) had only said that exploitation would allow a threat actor to “cause significant data loss on the vulnerable instance”.
However, Rapid7 has since confirmed that there have been cases of the second vulnerability being exploited. Atlassian has also updated its advisory on the vulnerability, saying they had been informed by a customer that threat actors had exploited it.
Atlassian originally rated the severity of the vulnerability a critical 9.1 out of 10, but it has since bumped that number to 10.
“We have escalated CVE-2023-22518 from CVSS 9.1 to 10, the highest critical rating, due to the change in the scope of the attack,” it said.
Starting 5 November, Rapid7 said its managed detection and response (MDR) team had begun responding to reports of Confluence server vulnerabilities being exploited “within various customer environments”.
The company said it found the execution chain to be the same in multiple environments, which could indicate mass exploitation of “vulnerable internet-facing Atlassian Confluence servers”.
Following the exploitation, the detected threat actor exploiting the vulnerability executed Base64 commands, which allowed it to launch follow-up commands using Python 2 or Python 3.
“In multiple attack chains, Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server,” added Rapid7.
Mirroring the recommendations of the ACSC and Atlassian themselves, Rapid7 said customers should update to a fixed version of the Confluence software “on an emergency basis” and should restrict access to the application until this has been done.
For a full technical breakdown, head to the Rapid7 website.
Be the first to hear the latest developments in the cyber industry.
