Microsoft: Ransomware groups, nation-states exploiting Atlassian Confluence vulnerability

Ransomware groups and nation-state actors have begun exploiting a widespread zero-day vulnerability in all supported versions of Atlassian Confluence Server and Data Center unveiled late last month, according to Microsoft. 

Microsoft’s security team took to Twitter on Friday to say they have seen widespread exploitation of CVE-2022-26134, which was officially patched by Atlassian on June 3

Microsoft released its own guidance on the issue “to help customers determine and remediate the impact of this vulnerability, possible exploitation, and related payloads and other malicious activity in their networks.”

“In many cases impacted devices have been observed with multiple disparate instances of malicious activity, including extensive device and domain discovery, and the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware,” Microsoft explained. 

“In particular, we observed the CVE-2022-26134 being exploited to download and deploy the Cerber2021 ransomware.”

Cerber2021 is a relatively minor player among ransomware gangs, emerging in November with versions that can be used in attacks on Windows and Linux, according to cybersecurity researchers with MalwareHunter.

At least one victim took to Twitter to note that they were hit with the Cerber2021 ransomware through the Atlassian bug.

Researchers at Swiss cybersecurity firm Prodraft told Bleeping Computer last week that the AvosLocker ransomware has also been seen exploiting the bug. The company that discovered the vulnerability, Volexity, said it has seen state-backed hackers in China exploiting it. 

Censys researchers said they found around 9,325 services across 8,347 distinct hosts running some version of Atlassian Confluence earlier this month.

“Of those services, most Confluence versions we identified were v7.13.0 (1,137 hosts), v7.13.2 (690 hosts), and v7.13.5 (429 hosts); and if the advisory is accurate, all of these versions are susceptible to this new attack,” said Mark Ellzey, senior security researcher at Censys.

The Censys dashboard shows most instances are in the U.S., China and Germany, with each country having at least 1,000 vulnerable hosts.

The Cybersecurity and Infrastructure Security Agency (CISA) released a warning about the bug and immediately added it to its catalog of known exploited vulnerabilities

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.