skout-blog

Cybersecurity Threat Advisory 0033-22: Critical vulnerability affecting Atlassian Confluence Server

Threat Update

A zero-day exploit has been discovered in all versions of Atlassian Confluence Server and Data Center products. This vulnerability is actively being exploited by cyberattackers.  It allows threat actors to gain full control of vulnerable systems without using credentials and perform unauthenticated remote code execution. Barracuda MSP recommends updating all Atlassian servers immediately.

Technical Detail & Additional Information

WHAT IS THE THREAT?

A zero-day exploit was recently discovered in all versions of Atlassian Confluence Server and Data Center products. An attacker can exploit this vulnerability to allow unauthenticated remote code execution and gain full control over the system without credentials. This attack can enable attackers to gain access to critical information stored on the servers and move laterally throughout the network environment. 

WHY IS IT NOTEWORTHY?

During the Memorial Day weekend, attackers targeted two internet facing web servers which were running Atlassian Confluence Server software. They launched a single exploit on each of the server systems, which allowed them to load a malicious class file in the memory.  This approach enabled the attackers to have a web shell, a shell-like interface that enables a web server to be remotely accessed, to continuously interact with the server during subsequent requests, without the need of creating a backdoor file to disk.

WHAT IS THE EXPOSURE OR RISK?

This vulnerability affects all versions of Atlassian Confluence Server and Data Center products that are running the Atlassian Confluence Server software.  When the attackers exploited the two Confluence Server systems, they were able to launch an in-memory copy of the BEHINDER implant which is a very popular web server implant with source code found on GitHub. Once it is deployed, the attacker can launch two additional web shells to disk: CHINA CHOPPER and a custom file upload shell. During the full system take over, the attackers were able to execute commands on the system which allowed them to explore sensitive data on the victim’s network.

WHAT ARE THE RECOMMENDATIONS?

Barracuda MSP recommends patching this vulnerability by updating Confluence Server and Confluence Data Center to the latest versions as outlined by Atlassian, and listed below:

  • 7.4.17
  • 7.13.7
  • 7.14.3
  • 7.15.2
  • 7.16.4
  • 7.17.4
  • 7.18.1

Additional remediation steps:

  • Consider blocking external access to Internet-facing Confluence Server and Data Center systems
  • Implement IP address access control list (ACLs) to restrict access to Internet-facing systems
  • Monitor child processes of web application processes for suspicious processes
  • Review any recent alerts related to Confluence systems you may have setup

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.

Threat Advisory Sign Up