400+ unique IP’s Exploiting PoC for Atlassian Confluence RCE Bug

PoC exploits for the critical CVE-2022-26134 vuln affecting Atlassian Confluence and Data Center servers were widely discussed on Twitter this weekend. The Attack Team at Horizon3.ai claims to have tested and verified public exploits. Exploitation allows creation of admin accounts and command execution.

Confluence exploits spreading rapidly:

Soon after a proof-of-concept exploit for the vuln was publicly posted, it spread rapidly, with researchers sharing examples on Twitter of how trivial it was to exploit.

By Saturday afternoon, Andrew Morris, the CEO of cybersecurity firm GreyNoise, Tweeted that they had begun to see 23 unique IP addresses exploiting the Atlassian vulnerabilities.

Today, Morris Tweeted that the number of uniques attempting to exploit this vuln had grown to 400 unique IP addresses in just 24hrs.

Experts with Horizon3.ai, Token and Dispersive Holdings shared their insights.

Naveen Sunkavalley, Chief Architect, Horizon3.ai:

“CVE-2022-26134 is about as bad as it gets. The vulnerability is easy to scan for and easy to exploit using a single HTTP GET request. We've verified that the public exploits released over the weekend enable arbitrary command execution and host takeover against many versions of Confluence, including the latest unpatched version 7.18.0.

“The obvious impact of this vulnerability is that public-facing Confluence instances can be easily exploited by attackers to gain a foothold into internal networks. However, the impact extends beyond that. Confluence instances often contain a wealth of user data and business-critical information that is valuable for attackers moving laterally within internal networks. We've advised our clients to patch immediately, even if their Confluence instance is not public.”

Garret Grajek, CEO, YouAttest:

"Source code attacks are some of the most effective and long reaching attacks on the IT ecosystem. The Solarwinds attacked showed us the level of damage and the magnitude of threat that embedded malware can have in our vital s/w components. By attacking the source code base the hackers are able to manipulate the code to become, in fact, agents of the hacking enterprise, cryptographically registered as legitimate components on the IT system. It is imperative that enterprises review their code and most importantly the identities that have control of the source system, like Atlassian, to insure restrictive and legitimate access to their vital code bases.”

John Gunn, CEO, Token:

“As more organizations implement Multifactor Authentication and effectively lock the front door, hacking organizations are launching Ransomware attacks using other methods as witnessed by the explosion in exploits for this vulnerability. Not implementing patches immediately is the equivalent of leaving the back door propped open for attackers.”