Contents:
Following the public release of a Proof-of-Concept (PoC) exploit for a recently disclosed Atlassian Confluence Remote Code Execution (RCE) bug, cybercriminals are actively searching for and abusing it to install cryptocurrency mining malware.
CVE-2021-26084 Flaw Damage
According to the Atlassian security advisory, this vulnerability impacts Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
The Confluence RCE vulnerability tracked as CVE-2021-26084 is an OGNL injection issue that enables an authenticated user, and in some cases an unauthenticated user, to perform arbitrary code on a Confluence Server or Data Center instance.
All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.
The company released versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 which contain a patch for this issue, and currently urges its customers to upgrade to the latest Long Term Support release. Users can download the latest version from the download centre.
What Is Atlassian Confluence?
Atlassian’s Confluence is a web-based team collaboration software developed in Australia, written in Java for managing workspaces and projects that companies can run locally on their own servers.
Confluence is advertised as enterprise software that can be licensed as on-premises software or as software as a service that runs on AWS.
Hackers and Cybersecurity Researchers Exploit Vulnerable Confluence Servers
Following Atlassian’s advisory, cybersecurity researchers released a technical write-up related to the RCE vulnerability and a proof-of-concept exploit.
According to BleepingComputer, cybercriminals could use these commands to download other software, such as webshells, or initiate a program on the vulnerable server.
Not long after the PoC’s release, cybersec organizations started reporting that hackers and security specialists were actively scanning and abusing unprotected Confluence servers.
After studying the exploits samples published by cybersecurity intelligence organization Bad Packets, BleepingComputer concluded that cybercriminals are trying to deploy cryptominers on both Windows and Linux Confluence servers.
Although cybercriminals are currently exploiting this type of vulnerability for cryptocurrency mining, researchers believe it will be used for data exfiltration and ransomware attacks in the future.
Companies running a Confluence server are urged to immediately install the latest updates.