According to experts, a severe flaw in Atlassian’s Confluence corporate server program that permits malicious commands and resets servers is actively exploited by threat actors in cyber attacks that install ransomware.
Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, said on Mastodon on Sunday, “Widespread exploitation of the CVE-2023-22518 authentication bypass vulnerability in Atlassian Confluence Server has begun, posing a risk of significant data loss.” He continued, “So far, the attacking IPs all include Ukraine in their target.”
He referred to a page that showed three separate IP addresses that began exploiting the major vulnerability, which allows attackers to restore a database and execute malicious commands, between 12 a.m. and 8 a.m. Sunday UTC (about 5 p.m. Saturday to 1 a.m. Sunday Pacific Time). The IPs have now discontinued the attacks, but he believes the exploits are still active.
It just takes one request
The DFIR Report posted screenshots of data collected while witnessing the attacks. One revealed a demand from the C3RB3R ransomware organization.
Meanwhile, security firms Rapid7 and Tenable confirmed that attacks began over the weekend as w
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.