Heimdal
article featured image

Contents:

Over the weekend, the open-source automation server Jenkins announced that cybercriminals exploited a critical vulnerability impacting Atlassian Confluence Server and Data Center to obtain access to one of its internal servers.

At this time, we have no reason to believe that any Jenkins releases, plugins, or source code have been affected.

Source

Following the public release of a Proof-of-Concept (PoC) exploit for a recently disclosed Atlassian Confluence Remote Code Execution (RCE) vulnerability, cybercriminals began to search for and abuse it to install cryptocurrency mining malware.

Jenkins’ inquiry shows that the threat actors managed to exploit CVE-2021-26084 to install a Monero cryptocurrency miner in the container controlling the deprecated Confluence service.

Furthermore, hackers could also leverage the flaw for more destructive attacks.

Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure.

Source

While Jenkins has no evidence that developer credentials were exfiltrated during the attack, the company is taking measures. They announced that they have reset passwords for all accounts in the integrated identity system.

It also stated that they “are taking actions to prevent releases at this time until we re-establish a chain of trust with our developer community.”

Jenkins claims that its infrastructure team has deactivated the Confluence server for good, rotated privileged credentials, and taken proactive steps to further limit access across their organization.

According to the Atlassian security advisory, CVE-2021-26084 vulnerability impacts Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

The Confluence RCE vulnerability tracked as CVE-2021-26084 is an OGNL injection issue that enables an authenticated user, and in some cases an unauthenticated user, to perform arbitrary code on a Confluence Server or Data Center instance.

On September 3rd, the US Cyber Command (USCYBERCOM) has published a warning encouraging US companies to patch a massively exploited Atlassian Confluence critical flaw as soon as possible.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE