News Article:
Attackers have seized the opportunity to exploit a recently patched and critical severity Atlassian Confluence authentication bypass flaw, leading to the encryption of victims' files using Cerber ransomware, according to a report by BleepingComputer.

Known as CVE-2023-22518, Atlassian describes the bug as an improper authorization vulnerability, which has received a 9.1/10 severity rating. The flaw impacts all versions of the Confluence Data Center and Confluence Server software.

Last Tuesday, Atlassian released security updates and strongly advised administrators to promptly apply the patches to all vulnerable instances, as failure to do so could result in data loss. Chief Information Security Officer (CISO) of Atlassian, Bala Sathiamurthy, stated that "Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker."

Although there are currently no reports of active exploitation, Atlassian issued a second warning, informing customers that a proof-of-concept exploit was available online, even though there was no evidence of ongoing attacks.

To mitigate the risk, Atlassian recommends implementing several measures, such as backing up unpatched instances and blocking Internet access to unpatched servers until security updates are applied.

A report from threat monitoring service ShadowServer indicates that there are over 24,000 Confluence instances exposed online, though the number of instances vulnerable to CVE-2023-22518 attacks is unknown.

In an updated advisory, Atlassian disclosed that threat actors had already begun targeting the vulnerability shortly after the release of the proof-of-concept exploit. Atlassian issued a strong call to action, urging customers to take immediate steps to protect their instances.

Over the weekend, cybersecurity companies GreyNoise and Rapid7 warned of widespread exploitation commencing on Sunday, November 5. Rapid7 observed attacks on Atlassian Confluence servers, with threat actors utilizing the CVE-2023-22518 authentication bypass exploit, as well as an older critical privilege escalation bug (CVE-2023-22515), which had previously been zero-day exploited.

Rapid7 further noted that the attacks involved post-exploitation command execution, leading to the deployment of the Cerber ransomware on the exploited Confluence servers.

In a joint advisory last month, CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) emphasized the urgency for network administrators to promptly secure Atlassian Confluence servers, particularly against the actively exploited CVE-2023-22515 privilege escalation bug.

It is worth mentioning that this is not the first time Cerber ransomware has targeted Atlassian Confluence servers. Two years ago, attackers exploited a remote code execution vulnerability (CVE-2021-26084) to deploy Cerber ransomware and install crypto-miners.