Atlassian warns of an actively exploited critical unpatched remote code execution vulnerability that impacts all Confluence Server and Data Center supported versions. The flaw that has been tracked as CVE-2022-26134 is being actively exploited in attacks in the wild.
The company stated that more details about the vulnerability are being withheld until a fix is available.
Security firm Volexity reported the issue and the company announced the availability of the security fixes for supported versions of Confluence within 24 hours.
Atlassian urges customers to restrict Confluence Server and Data Center instances from the internet or consider disabling Confluence Server and Data Center instances while the patch is made available.
Volexity researchers discovered the issue as part of an investigation into an attack that took over the Memorial Day weekend.
The threat actors targeted two Internet-facing web servers that were running Atlassian Confluence Server software. Volexity determined that threat actors launched an exploit to achieve remote code execution, they triggered a zero-day vulnerability that impacted fully up-to-date versions of Confluence Server.
As per the report published by Volexity , after successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. This is an ever-popular web server implant with source code available on GitHub. BEHINDER provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike.
This method of deployment has significant advantages by not writing files to disk. It also does not allow persistence, which means a reboot or service restart will wipe it out. Once BEHINDER was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk: CHINA CHOPPER and a custom file upload shell.
The flaws in Atlassian Confluence were exploited in attacks in the wild earlier as well. In September 2021, crypto-mining campaigns actively exploited a critical remote code execution vulnerability in Atlassian Confluence deployments across Windows and Linux.