Ransomware gangs are exploiting a recently patched RCE vulnerability in Atlassian Confluence Server and Data Center software to gain a foothold in enterprise networks through the unpatched servers.
The said bug (CVE-2022-26134) allows a remote non-authenticated hacker execute arbitrary code on the vulnerable system via specially crafted request to the Confluence Server. The issue affects all supported versions of Confluence Server and Data Center. Atlassian addressed the bug with the release of versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1.
The vulnerability was first reported by researchers at the cybersecurity company Volexity who discovered that the flaw was exploited in attacks conducted by China-linked threat actors.
Shortly after the vulnerability was publicly disclosed, proof-of-concept (PoC) code for the flaw was published online, leading to a surge in the exploitation attempts, including multiple botnets and cryptominers.
It appears that ransomware operators have also added exploits for CVE-2022-26134 to their attack arsenal. According to Swiss cyber threat intelligence firm Prodaft, AvosLocker ransomware gang has begun to target vulnerable internet-exposed Atlassian Confluence servers “to infect multiple victims on a mass scale systematically.”
Prodaft told BleepingComputer that the threat actor has already infected multiple organizations across the globe, including (but not limited) the United States, Europe, and Australia.
A ransomware group known as Cerber2021 (CerberImposter) has also been observed actively targeting unpatched Confluence servers.
On Saturday, Microsoft warned that multiple adversaries and nation-state actors are taking advantage of the Atlassian Confluence RCE vulnerability.
“In many cases impacted devices have been observed with multiple disparate instances of malicious activity, including extensive device and domain discovery, and the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware,” the tech giant said.