According to experts, a severe flaw in Atlassian's Confluence corporate server program that permits malicious commands and resets servers is actively exploited by threat actors in cyber attacks that install ransomware.

Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, said on Mastodon on Sunday, "Widespread exploitation of the CVE-2023-22518 authentication bypass vulnerability in Atlassian Confluence Server has begun, posing a risk of significant data loss."  He continued, "So far, the attacking IPs all include Ukraine in their target."

He referred to a page that showed three separate IP addresses that began exploiting the major vulnerability, which allows attackers to restore a database and execute malicious commands, between 12 a.m. and 8 a.m. Sunday UTC (about 5 p.m. Saturday to 1 a.m. Sunday Pacific Time). The IPs have now discontinued the attacks, but he believes the exploits are still active.

It just takes one request

The DFIR Report posted screenshots of data collected while witnessing the attacks. One revealed a demand from the C3RB3R ransomware organization.

Meanwhile, security firms Rapid7 and Tenable confirmed that attacks began over the weekend as well.

Business researchers Daniel Lydon and Conor Quinn  said "As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing Atlassian Confluence exploitation in multiple customer environments, including for ransomware deployment." They continued "We have confirmed that at least some of the exploits target CVE-2023-22518, a Confluence Data Center and Confluence Server improper authorization vulnerability."

The discovery 

Rapid7 discovered exploits that were basically the same across different situations, indicating "mass exploitation" of on-premises Confluence servers. "In various exploit chains, Rapid7 saw post-exploitation command execution for downloading a malicious payload located at 193.43.72[.]11 and/or 193.176.179[.]41, which, if effective, resulted in single-system Cerber ransomware installation on the exploited Confluence server."

CVE-2023-22518 is known for a vulnerability in wrong authorization that can be abused on Internet-facing Confluence servers via tailored requests to setup-restore endpoints. Atlassian's cloud infrastructure does not affect Confluence accounts. Atlassian exposed the flaw in a blog post last Tuesday. Atlassian Chief Information Security Officer Bala Sathiamurthy cautioned in it that the flaw can end in "critical data loss if exploited" and that "users must take action right away to secure their cases."

What next?

Atlassian updated the post on Thursday to say that many reports released in the interim days offered "critical information about the vulnerability, which raises the possibility of exploitation." The update seemed to be connected to blogs like this one, which provided the findings of an analysis that contrasted the susceptible and fixed versions in order to pinpoint technical information. Another possible source was a Mastodon post:

“Just one request is all it takes to reset the server and gain admin access,” the post said in a video showing how the exploit works.

Atlassian updated the page again on Friday, stating that active exploitation was occurring. "Customers must take immediate action to protect their instances," said the statement.

Threat groups are likely racing to capitalize on the vulnerability before targets patch it now that word has spread that attacks are simple and effective. Any organization that has an on-premises Confluence server that is accessible to the Internet should fix quickly, and if that isn't possible, remove it from the Internet temporarily. Another riskier solution would be to turn off the following endpoints:

For nearly a week, Atlassian's senior management has practically begged affected customers to fix. Vulnerable organizations dismiss suggestions at their own risk.