Contents:
Over the weekend, the open-source automation server Jenkins announced that cybercriminals exploited a critical vulnerability impacting Atlassian Confluence Server and Data Center to obtain access to one of its internal servers.
At this time, we have no reason to believe that any Jenkins releases, plugins, or source code have been affected.
Following the public release of a Proof-of-Concept (PoC) exploit for a recently disclosed Atlassian Confluence Remote Code Execution (RCE) vulnerability, cybercriminals began to search for and abuse it to install cryptocurrency mining malware.
Jenkins’ inquiry shows that the threat actors managed to exploit CVE-2021-26084 to install a Monero cryptocurrency miner in the container controlling the deprecated Confluence service.
Furthermore, hackers could also leverage the flaw for more destructive attacks.
Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure.
While Jenkins has no evidence that developer credentials were exfiltrated during the attack, the company is taking measures. They announced that they have reset passwords for all accounts in the integrated identity system.
It also stated that they “are taking actions to prevent releases at this time until we re-establish a chain of trust with our developer community.”
Jenkins claims that its infrastructure team has deactivated the Confluence server for good, rotated privileged credentials, and taken proactive steps to further limit access across their organization.
According to the Atlassian security advisory, CVE-2021-26084 vulnerability impacts Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
The Confluence RCE vulnerability tracked as CVE-2021-26084 is an OGNL injection issue that enables an authenticated user, and in some cases an unauthenticated user, to perform arbitrary code on a Confluence Server or Data Center instance.
On September 3rd, the US Cyber Command (USCYBERCOM) has published a warning encouraging US companies to patch a massively exploited Atlassian Confluence critical flaw as soon as possible.
Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) September 3, 2021