China suspected in assaults against enterprises running collaboration platform
Confluence Server and Data Center users are being urged to update their systems in response to a remote code execution (RCE) vulnerability that’s the target of active attacks in the wild.
The vulnerability (tracked as CVE-2022-26134) opens the door for even unauthenticated attackers to achieve RCE on unpatched systems, with all supported versions of Confluence Server and Data Center affected. End-of-life versions are also likely to be impacted, but this is unconfirmed.
Users are urged to apply patches published by Atlassian, the software developer behind Confluence, on Friday (June 3). Enterprises unable to patch should apply the recommended workarounds, as explained in an advisory by Atlassian.
The US Cybersecurity and Infrastructure Security Agency (CISA) is advising US federal agencies to block internet traffic to Confluence Server and Data Center installs and apply Atlassian’s patch or else remove affected instances by the close of business on Monday, June 6.
Attacks against the vulnerability on internet-facing Atlassian Confluence servers have been logged by threat response specialists at both Volexity and Rapid7’s Managed Detection and Response (MDR) team.
Volexity reports that attacks began last week on what was at the time a zero-day vulnerability in Atlassian Confluence Server. The RCE vulnerability was used to deploy an in-memory Java-based web server implant, known as ‘Behinder’, in an attempt to evade detection.
“Once Behinder was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk: CHINA CHOPPER and a custom file upload shell,” Volexity explains in a technical blog post.
The tools and technique behind the attack have allow Volexity threat researcher Paul Rascagnères to identify China as the most likely suspect.
Confluence is a popular web-based collaboration software platform. The Daily Swig asked Volexity to offer an estimate on the number of vulnerable internet-facing Confluence servers as well as speculating on the end goal of the attacks.
No word back, as yet, but we’ll update this story as and when more information comes to hand.