{"id":19332,"date":"2022-06-14T05:10:20","date_gmt":"2022-06-14T13:10:20","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/06\/14\/news-13065\/"},"modified":"2022-06-14T05:10:20","modified_gmt":"2022-06-14T13:10:20","slug":"news-13065","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/06\/14\/news-13065\/","title":{"rendered":"“Multiple adversaries” exploiting Confluence vulnerability, warns Microsoft"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Tue, 14 Jun 2022 12:43:08 +0000<\/strong><\/p>\n

Microsoft has warned that “multiple adversaries and nation-state actors” are making use of the recent Atlassian Confluence RCE vulnerability. A fix is now available for CVE-2022-26134<\/a>. It is essential users of Confluence address the patching issue immediately. <\/p>\n

Confluence vulnerability: Background<\/h2>\n

At the start of June, researchers discovered a vulnerability<\/a> in Atlassian Confluence via an incident response investigation. Confluence, a Wiki-style collaboration tool, experienced a “critical unauthenticated remote code execution vulnerability”. It affected Confluence server and Confluence Data Center.<\/p>\n

The attack discovered during the investigation revealed web shells deployed on the server. These web shells allow for Persistent access on compromised web applications. The web server process and its child processes ran as root and full privileges. This is very bad news, and allowed for execution of commands even without valid credentials.<\/p>\n

Worse, the web shell found is one commonly used by various Advanced Persistent Threat (APT) groups. This almost certainly isn’t the kind of thing admins discovering an attack want to hear mid-investigation.<\/p>\n

Unfortunately, mitigation advice was somewhat limited. It veered between restricting access to just turning off Confluence Server and Data Center instances. On June 3, Atlassian released<\/a> versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contained a fix for this vulnerability.<\/p>\n

The current situation<\/h2>\n

Here’s the latest observations from Microsoft:<\/p>\n

\n
\n
\n

Multiple adversaries and nation-state actors, including DEV-0401 and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134. We urge customers to upgrade to the latest version or apply recommended mitigations: https:\/\/t.co\/C3CykQgrOJ<\/a><\/p>\n

— Microsoft Security Intelligence (@MsftSecIntel) June 11, 2022<\/a><\/p><\/blockquote>\n