A critical vulnerability in Atlassian’s Confluence Server software is now under active attack.
Disclosed last week by Atlassian, CVE-2021-26084 is a remote code execution bug that is considered a critical security risk by the vendor. The flaw, which was rated a 9.8 on the CVSS scale, is due to an injection bug in the open source Object-Graph Navigation Language (OGNL) discovered and reported by security researcher Benny Jacob through Atlassian’s bug bounty program.
Troy Mursch, chief research officer with threat intelligence vendor Bad Packets, confirmed to SearchSecurity that CVE-2021-26084 was now being targeted in the wild.
“I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania,” Mursch said. “Multiple proof-of-concepts have been published publicly demonstrating how to exploit this vulnerability.”
Administrators are being urged to update any on-premises versions of Atlassian’s Confluence Server collaboration software as hackers have now descended on the critical security flaw. Cloud-hosted versions of Confluence Server are not vulnerable to attack, Atlassian said.
According to Atlassian, the bug normally requires the attacker to be logged into the network to exploit, but under some circumstances, servers can be remotely exploited without any authentication.
I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania. Troy MurschChief research officer, Bad Packets
In a demonstration of the flaw, researcher Harsh Jaiswal showed how the bug could be exploited to gain remote code execution.
“From our understanding & debugging we came to this conclusion: Attributes of #tag components within Velocity template are evaluated as OGNL Expressions to convert the template into HTML,” Jaiswal wrote.
For administrators, this means that getting the flaw patched as soon as possible is imperative. In some cases, Mursch said, it may already be too late. While Bad Packets doesn’t have an estimate on the number of vulnerable servers in the wild, the sheer volume of activity against the flaw should make the update a priority.
“Organizations using the on-premises version of Confluence need to immediately apply the update provided by Atlassian and check their servers for any indicators of compromise,” said Mursch.
“Given the level of scanning of exploit activity we’ve detected so far today, any unpatched servers are at immediate risk of compromise.”
JBS, the world’s largest beef producer, has confirmed that they paid an $11 million ransom after the REvil ransomware operation initially demanded $22.5 million. On May 31, JBS was forced to shut down some of its food production sites after the REvil ransomware operators breached their network and encrypted some of its North American and Australian IT systems. JBS…
Application Security , Cybercrime , Fraud Management & Cybercrime Intel, Adobe Roll Out Security Fixes Doug Olenick (DougOlenick) • August 11, 2021 Microsoft’s Patch Tuesday rollout addressed two additional security issues within Windows Print Spooler, including one zero day, . See Also: Automating Security Operations
Microsoft’s August security update covers 44 vulnerabilities,…
Microsoft is rolling out passwordless login support over the coming weeks, allowing customers to sign in to Microsoft accounts without using a password. The company first allowed commercial customers to rollout passwordless authentication in their environments in March after a breakthrough year in 2020 when Microsoft reported that over 150 million users were logging into…
Artificial Intelligence & Machine Learning , Next-Generation Technologies & Secure Development Nat Smith of Gartner Offers Advice on Cutting Through the Hype Anna Delaney (annamadeline) • August 13, 2021
Nat Smith, senior director security analyst, Gartner
Nat Smith, senior director security analyst at Gartner, describes what factors potential buyers…
Governance & Risk Management , IT Risk Management Trend Micro: Cryptojacking Group TeamTNT Targets Clusters in Wormlike Attack Prajeet Nair (@prajeetspeaks) • May 26, 2021 Logo for Kubernetes open-source container orchestration system Researchers at Trend Micro say about 50,000 IPs were compromised across multiple Kubernetes clusters in a wormlike attack by the cloud-focused…
Xinhua file photos of Russian President Vladimir Putin (L) and U.S. President Joe Biden U.S. President Joe Biden on Tuesday called on Russia to de-escalate its tensions with Ukraine in his phone call with Russian President Vladimir Putin, the White House said. The president voiced concerns over the sudden Russian military build-up in Crimea and…