Hackers are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134 to install web shells, with no fix available at this time.
Today, Atlassian released a security advisory disclosing that CVE-2022-26134 is a critical unauthenticated, remote code execution vulnerability tracked in both Confluence Server and Data Center.
Atlassian says that they confirmed the vulnerability in Confluence Server 7.18.0 and believe that Confluence Server and Data Center 7.4.0 and higher are also vulnerable.
The advisory warns that threat actors are actively exploiting Confluence Server 7.18.0.
As there are no patches available, Atlassian is telling customers to make their servers inaccessible by one of these two methods:
- Restricting Confluence Server and Data Center instances from the internet.
- Disabling Confluence Server and Data Center instances.
There are no other ways to mitigate this vulnerability.
Organizations that use Atlassian Cloud (accessible via atlassian.net) are unaffected by this vulnerability.
Atlassian is actively working on a patch and will release further information in their advisory when it becomes available.
The Cybersecurity and Infrastructure Security Agency (CISA) has added this zero-day to its ‘Known Exploited Vulnerabilities Catalog‘ and is requiring federal agencies to block all internet traffic to Confluence servers by tomorrow, June 3rd.
Servers exploited for initial access
In a coordinated disclosure, cybersecurity firm Volexity explained that the vulnerability was discovered over the Memorial Day weekend while performing incident response.
After conducting the investigation, Volexity could reproduce the exploit against the latest Confluence Server version and disclosed it to Atlassian on May 31st.
“After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from an attacker launching an exploit to achieve remote code execution,” explains a blog post by Volexity.
“Volexity was subsequently able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server.”
In the breach analyzed by Volexity, threat actors installed BEHINDER, a JSP web shell that allows threat actors to execute commands on the compromised server remotely.
The threat actors then used BEHINDER to install the China Chopper web shell and a simple file upload tool as backups.
From Volexity’s investigation, the threat actors dumped the user tables of the Confluence server, wrote additional webshells, and altered access logs to evade detection.
Volexity says that they believe the multiple threat actors from China are utilizing these exploits.
As there are no patches available, Volexity also recommends that Confluence admins disconnect their servers from the Internet until Atlassian releases a fix.