A critical vulnerability in Atlassian’s Confluence Server software is now under active attack.
Disclosed last week by Atlassian, CVE-2021-26084 is a remote code execution bug that is considered a critical security risk by the vendor. The flaw, which was rated a 9.8 on the CVSS scale, is due to an injection bug in the open source Object-Graph Navigation Language (OGNL) discovered and reported by security researcher Benny Jacob through Atlassian’s bug bounty program.
Troy Mursch, chief research officer with threat intelligence vendor Bad Packets, confirmed to SearchSecurity that CVE-2021-26084 was now being targeted in the wild.
“I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania,” Mursch said. “Multiple proof-of-concepts have been published publicly demonstrating how to exploit this vulnerability.”
Administrators are being urged to update any on-premises versions of Atlassian’s Confluence Server collaboration software as hackers have now descended on the critical security flaw. Cloud-hosted versions of Confluence Server are not vulnerable to attack, Atlassian said.
According to Atlassian, the bug normally requires the attacker to be logged into the network to exploit, but under some circumstances, servers can be remotely exploited without any authentication.
I can confirm Bad Packets honeypots have detected mass scanning and exploit activity targeting the Atlassian Confluence RCE vulnerability CVE-2021-26084 from hosts in Russia, Hong Kong, Brazil, Poland and Romania. Troy MurschChief research officer, Bad Packets
In a demonstration of the flaw, researcher Harsh Jaiswal showed how the bug could be exploited to gain remote code execution.
“From our understanding & debugging we came to this conclusion: Attributes of #tag components within Velocity template are evaluated as OGNL Expressions to convert the template into HTML,” Jaiswal wrote.
For administrators, this means that getting the flaw patched as soon as possible is imperative. In some cases, Mursch said, it may already be too late. While Bad Packets doesn’t have an estimate on the number of vulnerable servers in the wild, the sheer volume of activity against the flaw should make the update a priority.
“Organizations using the on-premises version of Confluence need to immediately apply the update provided by Atlassian and check their servers for any indicators of compromise,” said Mursch.
“Given the level of scanning of exploit activity we’ve detected so far today, any unpatched servers are at immediate risk of compromise.”
Business Email Compromise (BEC) , Cybercrime , Fraud Management & Cybercrime Oil and Gas Industry Yet Again a Victim of Agent Tesla Malware Rashmi Ramesh • July 10, 2021 A campaign that uses remote access Trojans and malware-as-a-service infrastructure for cyber espionage purposes has been targeting large international energy companies for at least…
A 22-year-old UK citizen has been arrested in connection with a 2020 hack that promised a doubling of Bitcoin promised through high-profile Twitter accounts, including Apple’s.
The Department of Justice said that Joseph O’Connor was arrested by Spanish authorities on Wednesday in Estepona, Spain. U.S. officials had sent a request for his arrest, as O’Connor…
Facebook regularly discloses methodologies that it is utilizing to secure its platform from cyberattacks and other malicious activities. Now, the company has announced that its security teams have disabled operations against Uyghur activists. These were being carried out by a group in China known as “Evil Eye” or “Earth Empusa”. Image via Wikimedia According to…
Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management Alejandro Mayorkas Says Attacks Increased 300% in Past Year Doug Olenick (DougOlenick) • May 6, 2021 Secretary of Homeland Security Alejandro Mayorkas About 50% to 70% of all ransomware attacks in the U.S. are targeting small and…
Remember the slew of vulnerabilities putting Microsoft Exchange servers at risk of various attacks? ProxyLogon Vulnerabilities Used in Cryptojacking Attacks Now another danger should be added to the threat list – cryptojacking also known as cryptocurrency mining. SophosLabs researchers discovered that the attackers exploiting Exchange servers are now using the compromised servers to host a…
NIST details executive order’s ‘critical software’ categories
By Chris Riotta Jun 28, 2021
To help agencies comply with the Biden administration’s cybersecurity executive order, the National Institute of Standards and Technology on June 25 posted a new definition of “critical software” for production systems and operational purposes. Critical software is defined as covering…
