Microsoft: Ransomware groups, nation-states exploiting Atlassian Confluence vulnerability

Ransomware groups and nation-state actors have begun exploiting a widespread zero-day vulnerability in all supported versions of Atlassian Confluence Server and Data Center unveiled late last month, according to Microsoft. 

Microsoft’s security team took to Twitter on Friday to say they have seen widespread exploitation of CVE-2022-26134, which was officially patched by Atlassian on June 3. 

Multiple adversaries and nation-state actors, including DEV-0401 and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134. We urge customers to upgrade to the latest version or apply recommended mitigations: https://t.co/C3CykQgrOJ

— Microsoft Security Intelligence (@MsftSecIntel) June 11, 2022

Microsoft released its own guidance on the issue “to help customers determine and remediate the impact of this vulnerability, possible exploitation, and related payloads and other malicious activity in their networks.”

“In many cases impacted devices have been observed with multiple disparate instances of malicious activity, including extensive device and domain discovery, and the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware,” Microsoft explained. 

“In particular, we observed the CVE-2022-26134 being exploited to download and deploy the Cerber2021 ransomware.”

Cerber2021 is a relatively minor player among ransomware gangs, emerging in November with versions that can be used in attacks on Windows and Linux, according to cybersecurity researchers with MalwareHunter.

At least one victim took to Twitter to note that they were hit with the Cerber2021 ransomware through the Atlassian bug.

Our company updated #confluence not long ago, but now we were also a victim of this ransomware, that gained access 99% through our #confluence installation I think that was not updated regularly! What a shit!!

— Hans (@Svenholm6) June 5, 2022

Researchers at Swiss cybersecurity firm Prodraft told Bleeping Computer last week that the AvosLocker ransomware has also been seen exploiting the bug. The company that discovered the vulnerability, Volexity, said it has seen state-backed hackers in China exploiting it. 

Censys researchers said they found around 9,325 services across 8,347 distinct hosts running some version of Atlassian Confluence earlier this month.

“Of those services, most Confluence versions we identified were v7.13.0 (1,137 hosts), v7.13.2 (690 hosts), and v7.13.5 (429 hosts); and if the advisory is accurate, all of these versions are susceptible to this new attack,” said Mark Ellzey, senior security researcher at Censys.

The Censys dashboard shows most instances are in the U.S., China and Germany, with each country having at least 1,000 vulnerable hosts.

The Cybersecurity and Infrastructure Security Agency (CISA) released a warning about the bug and immediately added it to its catalog of known exploited vulnerabilities.