Critical Atlassian Confluence Bug Exploited in Cerber Ransomware Attacks

Cyber Security Threat Summary:
Last Tuesday, Atlassian released security updates to address a critical improper authorization vulnerability impacting all versions of Confluence Data Center and Server. Tracked as CVE-2023-22518, the vulnerability can be used in data destruction attacks targeting internet-exposed and unpatched instances. While initially, Atlassian noted that it is unaware of reports of active exploitation, the vendor updated its advisory on Friday, stating that threat actors are starting to exploit the flaw in attacks in the wild.

Security Officer Comments:
Over the weekend, threat intelligence company GreyNoise observed widespread exploitation of CVE-2023-22518, with attacks being launched from 5 different IP addresses. Cybersecurity firm Rapid7 saw similar activity, where attackers leveraged CVE-2023-22518 as well as an older critical privilege escalation (CVE-2023-22515) bug to target internet-exposed Atlassian confluence servers. In particular, Rapid7 researchers observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, designed to lead to the deployment of Cerber ransomware.

Suggested Correction(s):
With a POC exploit being released for CVE-2023-22518, many threat actors are leveraging the exploit to launch attacks. According to ShadowServer, there are currently more than 24,000 Confluence instances exposed online. Besides applying the latest updates, Administrators should segment instances accessible to the internet from external facing resources.

Atlassian also recommends blocking access to the following endpoints on Confluence instances to mitigate known attack vectors. For more information, defer to Atlassian’s advisory: