Multiple ransomware collectives are actively capitalizing on recently unveiled vulnerabilities in Atlassian Confluence and Apache ActiveMQ, according to cybersecurity firm Rapid7.
CVE-2023-22518, CVE-2023-22515
The observed exploitation of CVE-2023-22518 and CVE-2023-22515 in various customer environments has resulted in the deployment of Cerber ransomware, also known as C3RB3R. Both vulnerabilities, deemed critical, enable threat actors to create unauthorized Confluence administrator accounts, posing severe risks of data loss.
Atlassian, responding to the escalating threat, updated its advisory on November 6, acknowledging “active exploits and reports of threat actors using ransomware.” The severity of the flaw has been revised from 9.8 to the maximum score of 10.0 on the CVSS scale. The Australian company attributes the escalation to a shift in the attack’s scope.
The attack chains involve widespread exploitation of vulnerable Atlassian Confluence servers accessible on the internet. This leads to the retrieval of a malicious payload from a remote server, subsequently executing the ransomware payload on the compromised server. Notably, GreyNoise’s data reveals that exploitation attempts originate from IP addresses in France, Hong Kong, and Russia.
CVE-2023-46604
Simultaneously, Arctic Wolf Labs has disclosed an actively exploited severe remote code execution flaw (CVE-2023-46604, CVSS score: 10.0) impacting Apache ActiveMQ. This vulnerability is being weaponized to deliver a Go-based remote access trojan named SparkRAT, along with a ransomware variant resembling TellYouThePass. The cybersecurity firm emphasizes the urgent need for rapid remediation to thwart exploitation attempts from various threat actors with distinct objectives.