A critical vulnerability in Atlassian’s Confluence Server software is now under active attack.
Disclosed last week by Atlassian, CVE-2021-26084 is a remote code execution bug that is considered a critical security risk by the vendor. The flaw, which was rated a 9.8 on the CVSS scale, is due to an injection bug in the open source Object-Graph Navigation Language (OGNL) discovered and reported by security researcher Benny Jacob through Atlassian’s bug bounty program.
Troy Mursch, chief research officer with threat intelligence vendor Bad Packets, confirmed to SearchSecurity that CVE-2021-26084 was now being targeted in the wild.
“I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania,” Mursch said. “Multiple proof-of-concepts have been published publicly demonstrating how to exploit this vulnerability.”
Administrators are being urged to update any on-premises versions of Atlassian’s Confluence Server collaboration software as hackers have now descended on the critical security flaw. Cloud-hosted versions of Confluence Server are not vulnerable to attack, Atlassian said.
According to Atlassian, the bug normally requires the attacker to be logged into the network to exploit, but under some circumstances, servers can be remotely exploited without any authentication.
I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania. Troy MurschChief research officer, Bad Packets
In a demonstration of the flaw, researcher Harsh Jaiswal showed how the bug could be exploited to gain remote code execution.
“From our understanding & debugging we came to this conclusion: Attributes of #tag components within Velocity template are evaluated as OGNL Expressions to convert the template into HTML,” Jaiswal wrote.
For administrators, this means that getting the flaw patched as soon as possible is imperative. In some cases, Mursch said, it may already be too late. While Bad Packets doesn’t have an estimate on the number of vulnerable servers in the wild, the sheer volume of activity against the flaw should make the update a priority.
“Organizations using the on-premises version of Confluence need to immediately apply the update provided by Atlassian and check their servers for any indicators of compromise,” said Mursch.
“Given the level of scanning of exploit activity we’ve detected so far today, any unpatched servers are at immediate risk of compromise.”
A Toshiba Corp (6502.T) unit said it was hacked by the DarkSide ransomware group, overshadowing an announcement of a strategic review for the Japanese conglomerate under pressure from activist shareholders to seek out suitors. Toshiba Tec Corp (6588.T), which makes products such as bar code printers and is valued at $2.3 billion, was hacked by…
Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service Company Says It Will Take Several Days to Restore Supply Chain Scott Ferguson (Ferguson_Writes) • May 12, 2021 Photo: Pete D via Flickr/CC Colonial Pipeline Co. announced Wednesday that it had restarted its operations following a ransomware attack last Friday that forced the company to…
At the beginning of the week, Accellion File Transfer Appliance (FTA) was subject to a security breach and extortion campaign orchestrated by the FIN11 group. Following the attacks, Accellion issued an official statement announcing that they have patched four FTA vulnerabilities that were known to be exploited by the threat actors, and incorporated new monitoring…
Multiple suspects believed to be linked to the Clop ransomware gang have been detained in Ukraine after a joint operation from law enforcement agencies in Ukraine, South Korea and the United States. The Cyber Police Department of the National Police of Ukraine confirmed that six arrests were made after searches at 21 residences in the…
Qualys, which provides a cloud-based platform for protecting IT and OT workloads, has become the latest firm to be victimized by vulnerabilities in the Accellion FTA file transfer application. Company CISO Ben Carr said Wednesday it had deployed an Accellion FTA server in a segregated DMZ environment, completely separate from systems that host and support…
SolarWinds software firm says that unknown hackers exploited a previously unknown flaw in two of its programmes to go after “a limited, targeted set of customers.” The statement, issued over the weekend, did not identify the hackers involved. In a question-and-answer page appended to the statement, SolarWinds said the flaw was “completely unrelated” to last…