A critical vulnerability in Atlassian’s Confluence Server software is now under active attack.
Disclosed last week by Atlassian, CVE-2021-26084 is a remote code execution bug that is considered a critical security risk by the vendor. The flaw, which was rated a 9.8 on the CVSS scale, is due to an injection bug in the open source Object-Graph Navigation Language (OGNL) discovered and reported by security researcher Benny Jacob through Atlassian’s bug bounty program.
Troy Mursch, chief research officer with threat intelligence vendor Bad Packets, confirmed to SearchSecurity that CVE-2021-26084 was now being targeted in the wild.
“I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania,” Mursch said. “Multiple proof-of-concepts have been published publicly demonstrating how to exploit this vulnerability.”
Administrators are being urged to update any on-premises versions of Atlassian’s Confluence Server collaboration software as hackers have now descended on the critical security flaw. Cloud-hosted versions of Confluence Server are not vulnerable to attack, Atlassian said.
According to Atlassian, the bug normally requires the attacker to be logged into the network to exploit, but under some circumstances, servers can be remotely exploited without any authentication.
I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania. Troy MurschChief research officer, Bad Packets
In a demonstration of the flaw, researcher Harsh Jaiswal showed how the bug could be exploited to gain remote code execution.
“From our understanding & debugging we came to this conclusion: Attributes of #tag components within Velocity template are evaluated as OGNL Expressions to convert the template into HTML,” Jaiswal wrote.
For administrators, this means that getting the flaw patched as soon as possible is imperative. In some cases, Mursch said, it may already be too late. While Bad Packets doesn’t have an estimate on the number of vulnerable servers in the wild, the sheer volume of activity against the flaw should make the update a priority.
“Organizations using the on-premises version of Confluence need to immediately apply the update provided by Atlassian and check their servers for any indicators of compromise,” said Mursch.
“Given the level of scanning of exploit activity we’ve detected so far today, any unpatched servers are at immediate risk of compromise.”
A new criminal carding marketplace promoted itself by leaking data for one million credit cards that have been stolen between 2018 and 2019. Carding can be defined as the trafficking and use of stolen credit cards. Credit cards usually get stolen through point-of-sale malware, magecart attacks on websites, and by using information-stealing trojans. The credit cards are sold…
Black Kingdom Ransomware Hunting Unpatched Microsoft Exchange Servers | IT Security News 25. March 2021 More than a week after Microsoft released a one-click mitigation tool to mitigate cyberattacks targeting on-premises Exchange servers, the company disclosed that patches have been applied to 92% of all internet-facing servers affected by the ProxyLogon vulnerabilities.The development, a 43% improvement from the previous…
Ubuntu Security Notice 5001-1 – Norbert Slusarek discovered a race condition in the CAN BCM networking protocol of the Linux kernel leading to multiple use-after-free vulnerabilities. A local attacker could use this issue to execute arbitrary code. Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did not properly clear received fragments from memory in…
On the Friday heading into Memorial Day weekend this year, it was meat processing giant JBS. On the Friday before the Fourth of July, it was IT management software company Kaseya and, by extension, over a thousand businesses of varying size. It remains to be seen whether Labor Day will see a high-profile ransomware meltdown…
The National College of Ireland (NCI) and the Technological University of Dublin have announced that ransomware attacks hit their IT systems. NCI is currently working on restoring IT services after being hit by a ransomware attack over the weekend that forced the college to take IT systems offline. “NCI is currently experiencing a significant disruption…
Stanford University’s Internet Observatory reported the incident first, but the programme’s chief technology officer David Thiel stressed that the data spill was not malicious or a “hack”. Instead, he said it was more that a user had decided to violate Clubhouse’s terms of service.