US Cybercom says mass exploitation of Atlassian Confluence vulnerability 'ongoing and expected to accelerate'

IT leaders have taken to Twitter to confirm that the exploitation is ongoing globally.
Written by Jonathan Greig, Contributor

UPDATE: Jenkins project attacked through Atlassian Confluence vulnerability

US Cybercom has sent out a public notice warning IT teams that CVE-2021-26084 -- related to Atlassian Confluence -- is actively being exploited.

"Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven't already -- this cannot wait until after the weekend," US Cybercom sent out in a tweet on Friday ahead of the Labor Day weekend holiday. 

A number of IT leaders took to social media to confirm that it was indeed being exploited.

Atlassian released an advisory about the vulnerability on August 25, explaining that the "critical severity security vulnerability" was found in Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

"An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability," the company said in its advisory. 

They urged IT teams to upgrade to the latest Long Term Support release and said there is a temporary workaround if that is not possible. 

"You can mitigate the issue by running the script below for the Operating System that Confluence is hosted on," the notice said. 

The vulnerability only affects customers of the Confluence Server and Data Center products. Customers of Confluence Cloud are not affected.

Multiple researchers have illustrated how the vulnerability can be exploited and released proofs-of-concept showing how it works. 

Bad Packets said they "detected mass scanning and exploited activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the US targeting Atlassian Confluence servers vulnerable to remote code execution."

Censys explained in a blog post that over the last few days, their team has "seen a small shift in the number of vulnerable servers still running on the public internet." 

"On August 31st, Censys identified 13,596 vulnerable Confluence instances, while on September 02, that number has decreased to 11,689 vulnerable instances," Censys said. 

The company explained that Confluence is a "widely deployed Wiki service used primarily in collaborative corporate environments" and that in recent years it "has become the defacto standard for enterprise documentation over the last decade." 

"While the majority of users run the managed service, many companies opt to deploy the software on-prem. On August 25th, a vulnerability in Atlassian's Confluence software was made public. A security researcher named SnowyOwl (Benny Jacob) found that an unauthenticated user could run arbitrary code by targeting HTML fields interpreted and rendered by the Object-Graph Navigation Language (OGNL)," the blog said. 

"Yes, that is the same class of vulnerability used in the Equifax breach back in 2017. Just days before this vulnerability was made public, our historical data showed that the internet had over 14 637 exposed and vulnerable Confluence servers. Compare that to the current day, September 1st, where Censys identified 14 701 services that self-identified as a Confluence server, and of those, 13 596 ports and 12 876 individual IPv4 hosts are running an exploitable version of the software."


A Censys chart showing how many servers are still vulnerable. 


"There is no way to put this lightly: this is bad. Initially, Atlassian stated this was only exploitable if a user had a valid account on the system; this was found to be incorrect, and the advisory was updated today to reflect the new information. It's only a matter of time before we start seeing active exploitation in the wild as there have already been working exploits found scattered about," Censys added. 

Yaniv Bar-Dayan, CEO of Vulcan Cyber, told ZDNet that security teams need to fight fire with fire as they work to prioritize and remediate this Confluence flaw. 

Attackers shouldn't be the first to automate scans for this exploit, and hopefully, IT security teams are ahead of their adversaries in proactively identifying the presence of this vulnerability and are taking steps to mitigate it, Bar-Dayan said. 

"Given the nature of Atlassian Confluence, there is a very real chance components of the platform are Internet exposed," Bar-Dayan added. 

"This means that attackers won't need internal network access to exploit the RCE vulnerability. A patch is available, and administrators should deploy it with extra haste while also considering other mitigating actions such as ensuring no public access is available to the Confluence Server and services."

BleepingComputer confirmed on Thursday that some threat actors are installing cryptominers on both Windows and Linux Confluence servers using the vulnerability.  

Editorial standards