Critical Confluence Flaw used in live Exploit Attempts and Ransomware attacks

published: Nov. 6, 2023

Take action: If you are still running Confluence Server or Datacenter and haven't patched it, wake up your engineering team and start patching. Because hackers have deployed automated scanners looking for Confluence and they have a ready exploit.

Learn More

The recently reported critical security flaw in Atlassian's Confluence Server and Data Center tracked as CVE-2023-22518 has drawn the attention of assorted cyber attackers. Initially, when Confluence disclosed the security gap on October 31, no active exploitation had been reported.

However, the landscape shifted dramatically after details of the defect were revealed. Within just a few days following the announcement, various efforts to leverage the vulnerability were spotted by cybersecurity experts.

Update - as of 7th of November, active ransomware and other cyberattacks against unpatched Atlassian Confluence Data Center and Server technology have driven up the CVSS score this vulnerability from its original 9.1 to 10.
The score has been raised "due to a change in scope of the attack," according to the Atlassian advisory, which added there have now been observed active exploits against against the bug, including ransomware

By the weekend following the alert, the team at Rapid7 started to observe exploitation attempts of this flaw targeting systems running both Windows and Linux. By November 5, 2023, Rapid7's Managed Detection and Response (MDR) team reported ongoing exploitation within several client networks, including instances where the attacks led to ransomware deployment. They verified that numerous assaults were focused on the CVE-2023-22518 flaw.

The methods used for executing the attacks were largely uniform across different systems, suggesting a single methodology and possibly even one exploitation campaign against exposed Atlassian Confluence servers on the internet. In a number of cases, attackers, after a successful breach, retrieved a harmful payload from an external server before executing the Cerber ransomware on the infiltrated systems.

Atlassian has promptly responded by issuing patches to rectify this vulnerability across all compromised Confluence Server and Data Center versions. Given the current wave of active attacks, it's imperative for organizations to apply these updates without delay.

Critical Confluence Flaw used in live Exploit Attempts and Ransomware attacks