A critical vulnerability in Atlassian’s Confluence Server software is now under active attack.
Disclosed last week by Atlassian, CVE-2021-26084 is a remote code execution bug that is considered a critical security risk by the vendor. The flaw, which was rated a 9.8 on the CVSS scale, is due to an injection bug in the open source Object-Graph Navigation Language (OGNL) discovered and reported by security researcher Benny Jacob through Atlassian’s bug bounty program.
Troy Mursch, chief research officer with threat intelligence vendor Bad Packets, confirmed to SearchSecurity that CVE-2021-26084 was now being targeted in the wild.
“I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania,” Mursch said. “Multiple proof-of-concepts have been published publicly demonstrating how to exploit this vulnerability.”
Administrators are being urged to update any on-premises versions of Atlassian’s Confluence Server collaboration software as hackers have now descended on the critical security flaw. Cloud-hosted versions of Confluence Server are not vulnerable to attack, Atlassian said.
According to Atlassian, the bug normally requires the attacker to be logged into the network to exploit, but under some circumstances, servers can be remotely exploited without any authentication.
I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania. Troy MurschChief research officer, Bad Packets
In a demonstration of the flaw, researcher Harsh Jaiswal showed how the bug could be exploited to gain remote code execution.
“From our understanding & debugging we came to this conclusion: Attributes of #tag components within Velocity template are evaluated as OGNL Expressions to convert the template into HTML,” Jaiswal wrote.
For administrators, this means that getting the flaw patched as soon as possible is imperative. In some cases, Mursch said, it may already be too late. While Bad Packets doesn’t have an estimate on the number of vulnerable servers in the wild, the sheer volume of activity against the flaw should make the update a priority.
“Organizations using the on-premises version of Confluence need to immediately apply the update provided by Atlassian and check their servers for any indicators of compromise,” said Mursch.
“Given the level of scanning of exploit activity we’ve detected so far today, any unpatched servers are at immediate risk of compromise.”
The flaw, disclosed Monday by Citizen Lab, allowed a hacker using NSO’s malware Pegasus to gain access to a device owned by a Saudi activist, according to security researchers. By Kartikay Mehrotra and Davide Scigliuzzo and William TurtonBloomberg Apple Inc. said it patched a security flaw in the Messages app after security researchers determined that Israel-based NSO Group…
NEW YORK: China’s cybersecurity watchdog suggested Didi Global Inc delay its initial public offering and urged it to review its network security, weeks before the Chinese ride-hailing giant went public, the Wall Street Journal reported on Monday, citing people familiar with the matter. It isn’t known whether Didi carried out its own review, according to…
A threat actor is promoting a new criminal carding marketplace by releasing one million credit cards stolen between 2018 and 2019 on hacking forums. Carding is the trafficking and use of stolen credit cards. These credit cards are stolen through point-of-sale malware, magecart attacks on websites, and information stealing trojans. These stolen credit cards are then sold on…
A cyber security partnership, with 10 founding organisations, has launched to tackle an increase in cyber security attacks. Funded by the Scottish Government, CyberScotland will help both individuals and organisations to protect themselves against online threats. The partnership’s first move was launching CyberScotland.com on Monday, which offers resources to the public, private, and third sectors,…
Exchange Server Post-Compromise Attack Activity Shared by Microsoft | IT Security News 29. March 2021 In the context of ongoing Exchange Server attacks, Microsoft has shared information detailing post-compromise activity which has infected vulnerable targets with ransomware and a botnet. When Microsoft released a fix for Exchange Server zero-days on March 2nd, organizations around the…
Critical VMware vCenter Server Flaw Can Expose Organizations to Remote Attacks | IT Security News 24. February 2021 VMware on Tuesday informed customers that its vCenter Server product is affected by a critical vulnerability that can be exploited by an attacker to execute commands with elevated privileges. read more Like this: Like Loading… Related Tags:…
