A critical vulnerability in Atlassian’s Confluence Server software is now under active attack.
Disclosed last week by Atlassian, CVE-2021-26084 is a remote code execution bug that is considered a critical security risk by the vendor. The flaw, which was rated a 9.8 on the CVSS scale, is due to an injection bug in the open source Object-Graph Navigation Language (OGNL) discovered and reported by security researcher Benny Jacob through Atlassian’s bug bounty program.
Troy Mursch, chief research officer with threat intelligence vendor Bad Packets, confirmed to SearchSecurity that CVE-2021-26084 was now being targeted in the wild.
“I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania,” Mursch said. “Multiple proof-of-concepts have been published publicly demonstrating how to exploit this vulnerability.”
Administrators are being urged to update any on-premises versions of Atlassian’s Confluence Server collaboration software as hackers have now descended on the critical security flaw. Cloud-hosted versions of Confluence Server are not vulnerable to attack, Atlassian said.
According to Atlassian, the bug normally requires the attacker to be logged into the network to exploit, but under some circumstances, servers can be remotely exploited without any authentication.
I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania. Troy MurschChief research officer, Bad Packets
In a demonstration of the flaw, researcher Harsh Jaiswal showed how the bug could be exploited to gain remote code execution.
“From our understanding & debugging we came to this conclusion: Attributes of #tag components within Velocity template are evaluated as OGNL Expressions to convert the template into HTML,” Jaiswal wrote.
For administrators, this means that getting the flaw patched as soon as possible is imperative. In some cases, Mursch said, it may already be too late. While Bad Packets doesn’t have an estimate on the number of vulnerable servers in the wild, the sheer volume of activity against the flaw should make the update a priority.
“Organizations using the on-premises version of Confluence need to immediately apply the update provided by Atlassian and check their servers for any indicators of compromise,” said Mursch.
“Given the level of scanning of exploit activity we’ve detected so far today, any unpatched servers are at immediate risk of compromise.”
Application Security , Cryptocurrency Fraud , Fraud Management & Cybercrime Researchers Say Users Paid Fees for Fake Mining Services Dan Gunderman (dangun127) • August 24, 2021 (Photo: Brett Jordan via Unsplash) Google has removed eight fake crypto-mining mobile apps from its Play Store, but researchers have flagged 120 similar apps still available on…
Today is World Password Day 2021, and while companies are touting the best password management practices, Google is hoping someday we won’t have to worry about them at all. According to the company, even the strongest passwords can be compromised. “You may not realize it, but passwords are the single biggest threat to your online…
Endpoint Security , Internet of Things Security ‘Arson Cats’ Researchers Say Device Flaws Gave Them Full Access to Verkada Cameras Mathew J. Schwartz (euroinfosec) • March 10, 2021 Security researchers say they were able to remotely access Verkada cameras used by numerous organizations, including at this Tesla warehouse in Shanghai. Security researchers say…
Microsoft is announcing that it has entered into a definitive agreement to acquire RiskIQ, a leader in global threat intelligence and attack surface management, to help their shared customers build a more comprehensive view of the global threats to their businesses, better understand vulnerable internet-facing assets, and build world-class threat intelligence. This was made in…
Australia’s top cyber spy says China’s actions in the hack of Microsoft Exchange email server software were akin to propping open the doors of thousands of homes and leaving them ajar for criminals to get inside. Rachel Noble, the director general of the Australian Signals Directorate (ASD), drew the analogy as she said the Chinese…
Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime Cybercrime Market Traded Banking and Payment Credentials Akshaya Asokan (asokan_akshaya) • June 11, 2021 The U.S. Justice Department has shut down the Slilpp cybercrime marketplace, which sold stolen credentials related to bank accounts and other payment mechanisms, in a multinational operation. See Also: Live…
