Here’s an example of an actively exploited vulnerability which is now used by ransomware operators: CVE-2022-26134. This is indeed the critical Atlassian unauthenticated remote code execution vulnerability in its Confluence Server and Data Center.
The vulnerability ensures initial access to corporate networks and enables unauthenticated threat actors to take over unpatched servers remotely. This is done by creating new administrative accounts and subsequently executing arbitrary code.
Who’s Exploiting CVE-2022-26134?
First of all, it should be mentioned that proof-of-concept codes emerged online shortly after Atlassian released a patch. PoC exploits generally make exploitation even easier, and a number of botnet operators initiated numerous cryptomining attacks based on the vulnerability. Now, it seems that ransomware operators are launching attacks, too.
Prodaft researchers discovered that affiliates of the AvosLocker ransomware-as-a-service group are exploiting the flaw. Attackers are targeting unpatched, Internet-exposed Confluence servers infecting numerous victims on a mass scale automatically.
Another ransomware group using the exploit is Cerber2021 ransomware. Overall, the emergence of PoC exploits corresponds to the increase of successful Cerber ransomware attacks, according to Microsoft and other cybersecurity researchers.
What Is Atlassian Confluence?
Atlassian Confluence is a collaboration platform written primarily in Java and running on a bundled Apache Tomcat application server. The platform helps users create content using spaces, pages, and blogs that other users can comment on and edit.
To avoid any attacks, it is strongly recommended to upgrade to a fixed Confluence version. If patching is not immediately possible for some reason, a workaround is also available.