A critical security vulnerability in Atlassian’s Confluence Server and Data Center products has recently been exploited in active cyberattacks, leading to the deployment of cryptocurrency miners and ransomware. The flaw, identified as CVE-2022-26134 with a CVSS score of 9.8, was patched by Atlassian on June 3, 2022. This vulnerability enables unauthorized actors to run malicious code, facilitating remote code execution (RCE) on unprotected systems.
Cybersecurity firm Sophos reported incidents involving Windows environments where attackers utilized this security hole to introduce Cerber ransomware as well as a cryptocurrency miner known as z0miner. All versions of Confluence Server and Data Center currently in support are impacted by this critical issue.
Additional malware observed in separate attack incidents includes variants of Mirai and Kinsing botnets, a malicious package dubbed pwnkit, and Cobalt Strike, which may have been deployed through web shells after gaining initial access to compromised systems.
“The vulnerability allows for the creation of a remote, accessible shell without leaving traces on the server’s storage,” stated Andrew Brandt, a principal security researcher at Sophos. This remote access capability is a significant risk as attackers can exploit it for various malicious activities without being detected easily.
This alarming situation coincides with a warning from Microsoft, which revealed that multiple threat actors, including nation-state groups, are exploiting the same vulnerability for various malicious purposes. Notably, the identified group DEV-0401 has a history of launching ransomware attacks against internet-facing systems, previously targeting vulnerabilities in VMWare Horizon and Microsoft Exchange among others.
The trend highlights an increasing propensity among adversaries to capitalize on newly discovered critical vulnerabilities instead of relying on older, well-documented software flaws. This reflects a shift in tactics where speed and the ability to remotely execute malicious actions are becoming paramount for cybercriminals.
Organizations operating with Atlassian Confluence products are advised to promptly apply the necessary updates to mitigate the risks associated with CVE-2022-26134. As malicious activity exploiting this vulnerability continues to escalate, proactive measures must be taken to secure sensitive data and systems against potential breaches.
