Brother
Professional
- Messages
- 2,590
- Reaction score
- 487
- Points
- 83
Unprotected servers have become a popular target for hackers who want to gain control of the system.
The Shadowserver service detects attempts to exploit the critical vulnerability CVE-2023-22527, which allows remote code execution on outdated versions of Atlassian Confluence servers.
Atlassian reported the issuea last week and noted that it only affects Confluence versions released before December 5, 2023, as well as some versions that are no longer supported.
Vulnerability CVE-2023-22527 (CVSS score: 10.0) is described as a template injection bug that allows an unauthorized remote attacker to execute code (Remote Code Execution, RCE) on vulnerable Confluence Data Center and Confluence Server servers versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x and 8.5.0 - 8.5.3. The bug fix is available for Confluence Data Center 8.6.0 and Server versions 8.5.4 (LTS)and later.
Since January 19, the Shadowserver threat monitoring service has recorded more than 39,000 attempts to exploit CVE-2023-22527, attacks originating from more than 600 unique IP addresses. According to The DFIR Report, attackers check callbacks by executing the "whoami" command to gather information about the access level and privileges on the system.
Malicious HTTP request
Currently, more than 11,200 Atlassian Confluence servers are available over the Internet. However, it is not necessary that all of them work on the affected version.
Shadowserver Data
Atlassian has previously stated that it cannot provide specific Indicators of Compromise (IoC), which would help in detecting cases of exploitation. Confluence server administrators should ensure that the servers they manage have been updated to at least a version released after December 5, 2023.
Organizations with outdated Confluence servers may consider them potentially compromised, so you need to look for signs of exploitation, perform a thorough cleanup, and upgrade to a secure version.
The Shadowserver service detects attempts to exploit the critical vulnerability CVE-2023-22527, which allows remote code execution on outdated versions of Atlassian Confluence servers.
Atlassian reported the issuea last week and noted that it only affects Confluence versions released before December 5, 2023, as well as some versions that are no longer supported.
Vulnerability CVE-2023-22527 (CVSS score: 10.0) is described as a template injection bug that allows an unauthorized remote attacker to execute code (Remote Code Execution, RCE) on vulnerable Confluence Data Center and Confluence Server servers versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x and 8.5.0 - 8.5.3. The bug fix is available for Confluence Data Center 8.6.0 and Server versions 8.5.4 (LTS)and later.
Since January 19, the Shadowserver threat monitoring service has recorded more than 39,000 attempts to exploit CVE-2023-22527, attacks originating from more than 600 unique IP addresses. According to The DFIR Report, attackers check callbacks by executing the "whoami" command to gather information about the access level and privileges on the system.
Malicious HTTP request
Currently, more than 11,200 Atlassian Confluence servers are available over the Internet. However, it is not necessary that all of them work on the affected version.
Shadowserver Data
Atlassian has previously stated that it cannot provide specific Indicators of Compromise (IoC), which would help in detecting cases of exploitation. Confluence server administrators should ensure that the servers they manage have been updated to at least a version released after December 5, 2023.
Organizations with outdated Confluence servers may consider them potentially compromised, so you need to look for signs of exploitation, perform a thorough cleanup, and upgrade to a secure version.
