Around this time last week, threat actors quietly began pressing an previously unknown vulnerability in Atlassian software that gave them almost full control over a small number of servers. Since Thursday, active exploitation of the vulnerability has emerged, creating a semi-organized frenzy among competing crime groups.
“It̵[ads1]7;s clear that several threat groups and individual actors have exploited and used it in different ways,” said Steven Adair, president of Volexity, the security firm that discovered the zero-day vulnerability while responding to a customer’s breach of Memorial Day weekend. “Some are pretty sloppy and others are a little more insidious.” His tweet came the day after his company released the report describing the vulnerability.
It is clear that several threat groups and individual actors have the exploitation and have used it in different ways. Some are quite sloppy and others are a little more insidious. Loading class files into memory and writing JSP shells is the most popular we’ve seen so far.
– Steven Adair (@stevenadair) June 3, 2022
Adair also said that the industry verticals affected “are quite widespread. This is a free-for-all where exploitation seems coordinated.”
CVE-2022-26134, as the vulnerability is tracked, allows unauthorized remote code execution on servers running all supported versions of Confluence Server and Confluence Data Center. In its advice, Volexity called the vulnerability “dangerous and trivially exploited.” The vulnerability is also likely to be present in unsupported and long-term support versions, said security firm Rapid7.
Volexity researchers wrote:
When Volexity first analyzed the exploitation, it noted that it was similar to previous vulnerabilities that have also been exploited to get external code execution. These types of vulnerabilities are dangerous, as attackers can execute commands and gain full control of a vulnerable system without credentials as long as web requests can be sent to the Confluence Server system. It should also be noted that CVE-2022-26134 appears to be another vulnerability to command injection. This type of vulnerability is serious and requires significant attention.
Threat actors exploit the vulnerability to install Chopper webshell and probably other types of malware. We hope that vulnerable organizations have already patched or otherwise fixed this gap, and if not, they wish good luck this weekend. Atlassian’s advice is here.