Atlassian Threats Upgraded To the Peak of Security Risk
Vulnerability Reaches Maximum Risk Level
Overt Operator
November 07, 2023
Image by DALL.E AI.
Threat actors have wasted no time in exploiting a recently patched vulnerability in Confluence Data Center and Server, using it to distribute the Cerber ransomware. This prompted developer Atlassian to classify the bug as the highest possible severity rating, SC Magazine reported.
While there were no immediate reports of the flaw being exploited, Atlassian's Chief Information Security Officer (CISO), Bala Sathiamurthy, warned customers that failure to take protective measures could result in "significant data loss" if exploits were to occur.
Cerber ransomware, which has been circulating for some time, is a malicious software that encrypts files and demands a ransom for their release. Its deployment on Confluence servers poses a significant threat to organizations that rely on the software for collaboration and document management.
Given the active exploitation of the vulnerability, it is crucial for Confluence users to take immediate steps to protect their instances. Atlassian has provided patches for the vulnerability and urges users to apply them promptly to mitigate the risk of data loss and potential ransomware attacks.
Risk Recap
In recent days, multiple ransomware groups have been actively targeting vulnerabilities in Atlassian Confluence and Apache ActiveMQ, according to cybersecurity firm Rapid7, The Hacker News reported.
The flaws being exploited are CVE-2023-22518 and CVE-2023-22515, both of which have the potential to lead to significant data loss.
Rapid7 is On the Lookout
Rapid7 has observed the exploitation of these vulnerabilities in multiple customer environments, with some instances resulting in the deployment of Cerber ransomware, also known as C3RB3R. This highlights the seriousness of the situation and the urgent need for organizations to address these vulnerabilities promptly.
The vulnerabilities in question are critical, as they allow threat actors to create unauthorized Confluence administrator accounts, providing them with unrestricted access to sensitive data. This unauthorized access can then be leveraged for malicious purposes, such as deploying ransomware.
Atlassian recently updated its advisory to acknowledge the active exploits and reports of threat actors using ransomware. In response to the severity of the situation, Atlassian has revised the Common Vulnerability Scoring System (CVSS) score of the flaws from 9.8 to 10.0, indicating the maximum level of severity.
The attack chains involving these vulnerabilities typically begin with the mass exploitation of vulnerable internet-facing Atlassian Confluence servers. Once compromised, these servers are used to fetch a malicious payload hosted on a remote server, ultimately leading to the execution of the ransomware payload.
Data collected by GreyNoise, a cybersecurity intelligence company, shows that the exploitation attempts are originating from three different IP addresses located in France, Hong Kong, and Russia. This suggests that threat actors from multiple locations are actively targeting these vulnerabilities.
Arctic Wolf Labs Discloses “Severe Remote Code Execution Flaw”
In addition to the vulnerabilities in Atlassian Confluence, cybersecurity firm Arctic Wolf Labs has disclosed a severe remote code execution flaw affecting Apache ActiveMQ. The vulnerability, identified as CVE-2023-46604 with a CVSS score of 10.0, is being weaponized to deliver a Go-based remote access trojan called SparkRAT, as well as a ransomware variant similar to TellYouThePass.
Arctic Wolf Labs emphasizes the urgent need for organizations to address this vulnerability promptly, as evidence of exploitation in the wild has been observed from various threat actors with different objectives.
The exploitation of these vulnerabilities in Atlassian Confluence and Apache ActiveMQ highlights the ever-evolving nature of cyber threats. It serves as a reminder of the importance for organizations to prioritize cybersecurity measures, including promptly patching vulnerabilities and implementing robust security protocols.
By remaining vigilant and taking proactive steps to address vulnerabilities, organizations can significantly reduce their risk of falling victim to ransomware attacks and other malicious activities carried out by threat actors.