In January 2023 [5] [8], security experts observed thousands of attempts to exploit a remote code execution vulnerability in outdated Atlassian Confluence servers [5]. This vulnerability, known as CVE-2023-22527 [1] [2] [3] [6] [7], allows for pre-auth template injection remote code execution without authentication [6]. It affects Confluence versions released before December 5, 2023 [5], specifically versions between 8.0x and 8.53. This is the third vulnerability in Confluence Data Center and Server that has been exploited in the wild since October 2023 [8].
Description
Multiple sources [8], including GreyNoise [4] [8], ShadowServer [3] [6] [7] [8], SANS Internet Storm Center (ISC) [8], and The DFIR Report [8], confirmed the observations of the exploitation attempts. The vulnerability allows unauthenticated [1] [5], remote attackers to execute code on vulnerable Confluence Data Center and Server endpoints [5]. Over 39,000 exploitation attempts have been reported [5], originating from 600 unique IP addresses [5], primarily from Russia [1], Hong Kong [1] [4], and the US [4]. Attackers are using the ‘whoami’ command to gain access and privilege information [5]. Attempts to deploy cryptocurrency miners using this vulnerability have also been observed [8]. The method of exploitation is concerning as malicious actors can use various channels to deliver the exploit [5], such as emails [5], URLs [5], or social media posts [5]. Exploits for this vulnerability have been available online since January 2024 [5], making them accessible even to less skilled attackers [5]. Atlassian Confluence vulnerabilities are commonly exploited by various attackers [5], including state-sponsored and ransomware groups [5].
Confluence Data Center and Server endpoints are used by organizations that have sensitive content they don’t trust in the cloud [5]. It is recommended that administrators update Confluence instances released before December 5, 2023 [5], and treat outdated ones as potentially compromised [5]. Thorough cleanup and updating to a secure version are advised [5]. Scans and exploitation attempts for the vulnerability have been reported [4], with over 11,000 vulnerable instances still remaining [4]. The majority of scanning activity has been observed in Europe [4], North America [4], and Asia [4]. Organizations are urged to update to the latest Confluence version and patch the vulnerability promptly to mitigate the associated risks [3].
Conclusion
The active exploitation of the CVE-2023-22527 vulnerability in Atlassian Confluence Data Center and Server poses significant risks to organizations. The high number of exploitation attempts and the ease of delivering the exploit through various channels highlight the urgency for administrators to update their Confluence instances and apply the necessary patches. Failure to do so may result in unauthorized remote code execution and potential compromise of sensitive content. It is crucial for organizations to prioritize security measures and stay vigilant against future vulnerabilities in widely used platforms like Atlassian Confluence.
References
[1] https://thehackernews.com/2024/01/40000-attacks-in-3-days-critical.html
[2] https://socprime.com/blog/cve-2023-22527-detection-maximum-severity-rce-vulnerability-in-atlassians-confluence-server-and-data-center-exploited-in-the-wild/
[3] https://www.scmagazine.com/news/thousands-of-exploit-attempts-reported-on-critical-atlassian-confluence-rce
[4] https://www.techtarget.com/searchSecurity/news/366567334/Attacks-begin-on-critical-Atlassian-Confluence-vulnerability
[5] https://www.infosecurity-magazine.com/news/hackers-target-atlassian/
[6] https://www.itpro.com/security/hackers-are-exploiting-a-critical-atlassian-confluence-vulnerability-heres-what-you-need-to-know
[7] https://www.cybersecuritydive.com/news/atlassian-confluence-active-exploitation/705337/
[8] https://www.tenable.com/blog/cve-2023-22527-atlassian-confluence-data-center-and-server-template-injection-exploited-in-the
