Atlassian Confluence Vulnerabilities Exploit By Ransomware

In a critical development, Rapid7 Managed Detection and Response (MDR) has identified and responded to a series of cyber-attacks exploiting vulnerabilities within Atlassian Confluence. The attackers are leveraging these vulnerabilities to deploy ransomware in multiple customer environments. This article aims to shed light on the observed attacker behavior, their post-exploitation activities, and crucial mitigation guidance for affected organizations.

Atlassian Vulnerabilities Exploited

The exploited vulnerabilities are identified as CVE-2023-22518, an improper authorization vulnerability, and CVE-2023-22515, a critical broken access control vulnerability. Atlassian officially addressed these issues in an advisory released on October 31, 2023. Notably, CVE-2023-22518 was updated by Atlassian on November 3, confirming exploitation reports from a customer.

Attacker Behavior

Commencing on November 5, 2023, Rapid7 MDR noticed a consistent pattern of exploitation across various customer environments. This suggests a potential large-scale exploitation of vulnerable Atlassian Confluence servers. Key aspects of the observed attacker behavior include:

1. HTTP Requests: The attackers utilized POST requests, and logged in HTTP access records, specifically targeting `/json/setup-restore.action?synchronous=true`. This activity was detected on both Windows and Linux systems.

2. Process Execution Chain: The attack exhibited a coherent execution chain across diverse environments. The attacker executed commands to retrieve system information, delete files, and initiate the payload for potential ransomware deployment.

atlassian

3. Post-Exploitation Commands: Following initial exploitation, the attacker employed Base64 commands to initiate subsequent commands via Python2 or Python3. The post-exploitation activities included downloading a malicious payload and, upon success, deploying Cerber ransomware on the compromised Confluence servers.

Mitigation Guidance for Atlassian Users

Vulnerable Versions:

All versions of the Confluence Server and Confluence Data Center are susceptible to CVE-2023-22518. The vulnerability has been remedied in fixed versions:

  • 7.19.16
  • 8.3.4
  • 8.4.4
  • 8.5.3
  • 8.6.1

Immediate Steps:

  • Emergency Patching: Organizations are strongly urged to promptly update Confluence to one of the fixed versions. Timely patching is crucial to addressing the vulnerabilities and preventing further exploitation.
  • Access Restriction: In cases where immediate patching is unfeasible, organizations should restrict external access to the Confluence application. This helps mitigate risks stemming from known attack vectors.
  • Atlassian Advisory: Adhere to Atlassian’s advisory for interim measures to mitigate risks in scenarios where emergency patching is challenging.
  • Indicators of Compromise (IoCs): Utilize provided IoCs, such as IP addresses, domains, and file hashes, to identify and remediate potential compromises within your environment.

Indicators of Compromise (IoCs)

IP Addresses:

  • 193.176.179[.]41
  • 193.43.72[.]11
  • 45.145.6[.]112

Domains:

  • j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad[.]onion

File Hashes:

  • Bat file (/tmp/agttydcb.bat): MD5 – 81b760d4057c7c704f18c3f6b3e6b2c4
  • ELF ransomware binary (/tmp/qnetd): SHA256 – 4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe

Ransom note:

  • read-me3.txt

Given the observed active exploitation, organizations are urged to prioritize immediate patching of Atlassian Confluence and adhere to the recommended mitigation steps. Rapid7 will continue monitoring the situation and provide updates as necessary.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *

HelloKitty Ransomware Source Code Leaked by Threat Actor

Dutch Government Puts Ban on Chinese Apps for Officials Due to Security Risks

Cornell’s AI Model Raises Concerns for Cyberworld with Audio-Based Keyboard Attacks

‘Pig Butchering’ A Crypto Scam that Stole Over $1 Million in 3 Months