Monday, December 23, 2024

Confluence servers hacked to deploy AvosLocker, Cerber2021 Ransomware

Ransomware gangs are now targeting a recently patched and actively exploited remote code execution (RCE) vulnerability affecting Atlassian Confluence Server and Data Center instances for initial access to corporate networks.

If successfully exploited, this OGNL injection vulnerability (CVE-2022-26134) enables unauthenticated attackers to take over unpatched servers remotely by creating new admin accounts and executing arbitrary code.

Soon after active exploitation was reported in the wild and Atlassian patched the bug, proof-of-concept exploits were also leaked online, lowering the skill level required for exploitation even further.

The severity of this security flaw and the already available exploits didn’t go unnoticed, with multiple botnets and threat actors actively exploiting it in the wild to deploy cryptomining malware.

Ransomware starts circling unpatched Confluence servers

As researchers at Swiss cyber threat intelligence firm Prodaft discovered, AvosLocker ransomware affiliates have already jumped on the wagon.

They are now targeting and hacking into Internet-exposed Confluence servers still left unpatched “to infect multiple victims on a mass scale systematically.”

This targeting is illustrated by a screenshot of AvosLocker’s command and control server where a ‘confluence’ campaign has been created by the threat actors, as shown below.

AvosLocker Confluence campaign (Prodaft)

“By performing mass scans on various networks, AvosLocker threat actors search for vulnerable machines used to run Atlassian Confluence systems,” Prodaft told BleepingComputer.

“AvosLocker has already managed to infect multiple organizations from different parts of the globe; including but not limited to the United States, Europe, and Australia.”

BleepingComputer has also been told by numerous victims that Cerber2021 ransomware (also known as CerberImposter) is actively targeting and encrypting Confluence instances unpatched against CVE-2022-26134.

Recommended:  phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated)

ID-Ransomware creator Michael Gillespie told BleepingComputer that submissions identified as CerberImposter include encrypted Confluence configuration files—showing that Confluence instances are getting encrypted in the wild.

The release of CVE-2022-26134 POC exploits coincides with an increase in the number of successful Cerber ransomware attacks.

Microsoft also confirmed Friday night that they have seen Confluence servers exploited to install Cerber2021.

Cerber previously targeted Confluence servers worldwide in December 2021 using CVE-2021-26084 exploits that allow unauthenticated attackers to gain remote code execution on vulnerable systems.

Widely exploited in the wild

Since cybersecurity firm Volexity disclosed CVE-2022-26134 as an actively exploited zero-day bug last week, CISA has also ordered federal agencies to mitigate the flaw by blocking all internet traffic to Confluence servers on their networks.

Volexity also revealed that several China-linked threat actors are likely using exploits to target vulnerable servers to deploy web shells.

One day after information on this actively exploited bug was published, Atlassian released security updates and urged its customers to patch their installations to block ongoing attacks.

“We strongly recommend upgrading to a fixed version of Confluence as there are several other security fixes included in the fixed versions of Confluence,” Atlassian said.

If you can’t immediately upgrade your Confluence Server and Data Center instances, you can apply a temporary workaround that requires updating some JAR files on the Confluence server, as described here.

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
Recommended:  HotelDruid RCE (Remote Code Execution) V3.0.3
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security