A critical vulnerability in Atlassian’s Confluence Server software is now under active attack.
Disclosed last week by Atlassian, CVE-2021-26084 is a remote code execution bug that is considered a critical security risk by the vendor. The flaw, which was rated a 9.8 on the CVSS scale, is due to an injection bug in the open source Object-Graph Navigation Language (OGNL) discovered and reported by security researcher Benny Jacob through Atlassian’s bug bounty program.
Troy Mursch, chief research officer with threat intelligence vendor Bad Packets, confirmed to SearchSecurity that CVE-2021-26084 was now being targeted in the wild.
“I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania,” Mursch said. “Multiple proof-of-concepts have been published publicly demonstrating how to exploit this vulnerability.”
Administrators are being urged to update any on-premises versions of Atlassian’s Confluence Server collaboration software as hackers have now descended on the critical security flaw. Cloud-hosted versions of Confluence Server are not vulnerable to attack, Atlassian said.
According to Atlassian, the bug normally requires the attacker to be logged into the network to exploit, but under some circumstances, servers can be remotely exploited without any authentication.
I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania. Troy MurschChief research officer, Bad Packets
In a demonstration of the flaw, researcher Harsh Jaiswal showed how the bug could be exploited to gain remote code execution.
“From our understanding & debugging we came to this conclusion: Attributes of #tag components within Velocity template are evaluated as OGNL Expressions to convert the template into HTML,” Jaiswal wrote.
For administrators, this means that getting the flaw patched as soon as possible is imperative. In some cases, Mursch said, it may already be too late. While Bad Packets doesn’t have an estimate on the number of vulnerable servers in the wild, the sheer volume of activity against the flaw should make the update a priority.
“Organizations using the on-premises version of Confluence need to immediately apply the update provided by Atlassian and check their servers for any indicators of compromise,” said Mursch.
“Given the level of scanning of exploit activity we’ve detected so far today, any unpatched servers are at immediate risk of compromise.”
Онлайн-мошенники ввели в заблуждение как минимум 93 тыс. пользователей Android-смартфонов, обманом заставив их приобрести приложения для майнинга криптовалюты. Об этом рассказали в своём отчёте специалисты компании Lookout. В общей сложности эксперты насчитали (PDF) 172 фейковые программы, которые разделили на два семейства: BitScam (83 800 установки) и CloudScam (9 600 установок). Мошенники преподносили их как облачные…
Encryption & Key Management , Governance & Risk Management , IT Risk Management Avast Says OnionCrypter Has Been in Use Since 2016 Akshaya Asokan (asokan_akshaya) • March 18, 2021 Security researchers at Avast have discovered that more than 30 hacker groups have been using a malware crypter dubbed OnionCrypter. See Also: Forrester Consulting:…
VMware has disclosed a pair of vulnerabilities impacting vCenter Server, a centralized management software for VMware vSphere systems. The most severe flaw, CVE-2021-21985, is a remote code execution vulnerability in vSphere Client, assigned a CVSSv3 score of 9.8 To exploit this vulnerability, an attacker would need to be able to access vCenter Server over port…
An Israeli group sold a tool to hack into Microsoft Windows, Microsoft and technology human rights group Citizen Lab said on Thursday, shedding light on the growing business of finding and selling tools to hack widely used software. The hacking tool vendor, named Candiru, created and sold a software exploit that can penetrate Windows, one…
Hackers behind one of the biggest ever digital coin heists have now returned nearly all of the US$610 million-plus they stole, Poly Network, the cryptocurrency platform targeted earlier this week by the attack, said on Thursday. The platform, which was little known before Tuesday’s heist, declared the hacker on Twitter as a “white hat,” referring…
Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management Malware Spreads Via Indiscriminate Port Scanning Prajeet Nair (@prajeetspeaks) • March 24, 2021 The developers behind the Purple Fox fileless downloader malware have upgraded their operation and are using worm capability to target internet-facing devices running Windows, the security firm Guardicore Labs reports….
