Lord777
Professional
- Messages
- 2,579
- Reaction score
- 1,478
- Points
- 113
How does a new critical bug allow attackers to effectively encrypt data?
The Atlassian Confluence platform faces a new threat : attackers exploit a critical vulnerability in its systems to bypass the authentication procedure. The bug allows you to encrypt files using the Cerber ransomware virus.
The defect with the identifier CVE-2023-22518 has a score of 9.1 out of a possible 10 on the hazard scale. It is a flaw in the authorization mechanisms and affects all existing versions of the Confluence and Confluence Data Center server software. Atlassian, the company responsible for development, released a patch on October 31 and strongly recommended that administrators update their systems as soon as possible to eliminate the risk of complete data loss.
For organizations that for some reason cannot immediately apply patches, a number of security measures are offered: from data backup to temporary restriction of Internet access for non-updated servers.
According to the ShadowServer threat monitoring service, more than 24,000 Confluence servers are open for access from the network. The actual number of systems vulnerable to attacks via CVE-2023-22518 cannot be determined.
Last Friday, Atlassian made another statement, warning that after the exploit was published, hackers began to apply the vulnerability in practice:
"We have received reports from customers about active exploitation of the vulnerability. Users need to take immediate steps to protect their systems. If the security update is already installed, no additional actions are required."
Cybersecurity specialists from GreyNoise recorded the first attacks on Sunday, November 5. Unknown people penetrated the Atlassian Confluence servers, which were accessible via the Internet. Exploits targeting CVE-2023-22518 and an old critical privilege escalation vulnerability, CVE — 2023-22515 (previously exploited as 0-day), helped in this.
The attackers ran commands to download the Cerber ransomware from external servers located at 193.43.72[.]11 and/or 193.176.179[.]41. After successful download, the ransomware completely blocked access to the system.
Last month, CISA, the FBI and MS-ISAC joined the warnings about the threat of exploitation of CVE-2023-22515. They jointly appealed to Atlassian customers to take urgent action, but some did not even have concerns about this. As the Microsoft report indicates, the bug has been exploited by hackers since September 14.
Cerber, also known as CerberImposter, was already used in attacks on Atlassian Confluence two years ago. The attacks were carried out through a remote code execution vulnerability (CVE-2021-26084), which was previously used to host cryptocurrency miners in the system.
The Atlassian Confluence platform faces a new threat : attackers exploit a critical vulnerability in its systems to bypass the authentication procedure. The bug allows you to encrypt files using the Cerber ransomware virus.
The defect with the identifier CVE-2023-22518 has a score of 9.1 out of a possible 10 on the hazard scale. It is a flaw in the authorization mechanisms and affects all existing versions of the Confluence and Confluence Data Center server software. Atlassian, the company responsible for development, released a patch on October 31 and strongly recommended that administrators update their systems as soon as possible to eliminate the risk of complete data loss.
For organizations that for some reason cannot immediately apply patches, a number of security measures are offered: from data backup to temporary restriction of Internet access for non-updated servers.
According to the ShadowServer threat monitoring service, more than 24,000 Confluence servers are open for access from the network. The actual number of systems vulnerable to attacks via CVE-2023-22518 cannot be determined.
Last Friday, Atlassian made another statement, warning that after the exploit was published, hackers began to apply the vulnerability in practice:
"We have received reports from customers about active exploitation of the vulnerability. Users need to take immediate steps to protect their systems. If the security update is already installed, no additional actions are required."
Cybersecurity specialists from GreyNoise recorded the first attacks on Sunday, November 5. Unknown people penetrated the Atlassian Confluence servers, which were accessible via the Internet. Exploits targeting CVE-2023-22518 and an old critical privilege escalation vulnerability, CVE — 2023-22515 (previously exploited as 0-day), helped in this.
The attackers ran commands to download the Cerber ransomware from external servers located at 193.43.72[.]11 and/or 193.176.179[.]41. After successful download, the ransomware completely blocked access to the system.
Last month, CISA, the FBI and MS-ISAC joined the warnings about the threat of exploitation of CVE-2023-22515. They jointly appealed to Atlassian customers to take urgent action, but some did not even have concerns about this. As the Microsoft report indicates, the bug has been exploited by hackers since September 14.
Cerber, also known as CerberImposter, was already used in attacks on Atlassian Confluence two years ago. The attacks were carried out through a remote code execution vulnerability (CVE-2021-26084), which was previously used to host cryptocurrency miners in the system.
