A just lately disclosed vital distant code execution (RCE) vulnerability in Atlassian’s Confluence Server collaboration platform is now below lively assault, in a spate of assaults bent on deploying a wide range of malware, together with ransomware.
Researchers from Sophos have noticed a number of assaults over the previous two weeks through which attackers used automated exploits towards susceptible Confluence situations operating on Home windows and Linux servers. In a minimum of two of the Home windows-related incidents, adversaries exploited the Atlassian vulnerability to drop Cerber ransomware on the sufferer networks, the safety vendor mentioned in a report Thursday.
Atlassian disclosed the vulnerability in Confluence Server (CVE-2022-26134) over Memorial Day weekend, after researchers from Volexity knowledgeable the corporate in regards to the concern, which they found whereas investigating a breach at a buyer location.
The bug — current in all present variations of Atlassian Confluence Server and Confluence Information Heart — mainly offers unauthenticated attackers a option to drop a remotely accessible in-memory-only Net shell on techniques operating a susceptible model of the collaboration software program. Within the assault that Volexity investigated, the risk actors then used the Net shell entry to drop different malware on the compromised system, which, amongst different issues, gave them persistent backdoor entry to it.
The bug stirred some concern as a result of it gave attackers a option to entry probably delicate mission, buyer, and different information in Confluence environments. On the time the bug was disclosed, Atlassian didn’t have a patch for it. Nevertheless, the corporate launched a repair one a day later, on June 3.
Ongoing Confluence Assaults
In line with Sophos, whereas the variety of susceptible Confluence servers has been dwindling since then, assaults proceed, making it extra essential than ever to patch. In many of the assaults that the safety vendor noticed, risk actors seemed to be utilizing the fileless Net shell to try to unfold an current assortment of malware instruments extra broadly.
The varied payloads that Sophos noticed embrace Mirai bot variants, a cryptominer referred to as z0miner, and pwnkit, a software for gaining root entry on most Linux distributions. Sophos mentioned it additionally noticed attackers exploiting the Atlassian Confluence vulnerability to drop ASP- and PHP-based Net shells on susceptible techniques, seemingly as a precursor to dropping different malware on them.
Sophos mentioned it additionally has noticed attackers operating PowerShell instructions and downloading shell code for deploying the post-compromise Cobalt Strike toolkit on Home windows servers operating a susceptible model of Confluence. In two incidents, a risk actor tried to deploy Cerber ransomware through the Confluence exploit utilizing an encoded PowerShell command to obtain and execute the malware. In each incidents, the attackers recommended that they had additionally stolen information from the victims to be used as extra leverage for extracting a ransom fee.
Nevertheless, there was no proof that the risk actors had truly exfiltrated any information, Sophos mentioned.
Double-Extortion Threats
Double-extortion ransomware assaults just like the Cerber incidents have turn out to be more and more frequent for the reason that Maze ransomware group began the development again in early 2020. With these assaults, risk actors not solely encrypt information, however in addition they threaten to publicly launch the info if their ransom calls for usually are not met.
A latest research of the observe by Rapid7 confirmed that risk actors attempting to coerce victims into paying a ransom most continuously leaked an organization’s monetary information (63%) first, adopted by buyer information (48%). Nevertheless, Rapid7 discovered variances by business within the kinds of information that attackers are inclined to leak initially.
As an example, with monetary companies victims, attackers usually tended to leak buyer information first (83% of the time), as an alternative of the sufferer’s inside monetary information. Nevertheless, when it got here to organizations within the healthcare and pharmaceutical sectors, ransomware actors leaked the sufferer’s monetary information 71% of the time, which was extra considerably extra frequent than incidents involving leaks of buyer information.
Rapid7 additionally found variations amongst ransomware actors relating to the kind of information they leaked. As an example, 81% of the incidents involving Conti ransomware featured publicly leaked monetary information. The Cl0p group, alternatively, disclosed worker info (70%) greater than some other kind of knowledge.
