"Cybercriminals, State-Sponsored Threat Actors Exploiting Confluence Server Vulnerability"
Security researchers at Microsoft discovered a recently patched Confluence Server vulnerability is being exploited by multiple cybercrime and state-sponsored threat groups. The security hole, tracked as CVE-2022-26134, can be exploited by an unauthenticated attacker for remote code execution. The researchers stated that it affects all supported versions of Confluence Server and Data Center, and it has been patched by Atlassian with the release of versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1. The researchers noted that the zero-day vulnerability was exploited before its existence came to light, but the volume of attacks has increased significantly following disclosure. The researchers stated that in the days immediately after the disclosure of the flaw, researchers reported seeing thousands of internet-exposed Confluence servers that could have been vulnerable to attacks. The researchers noted that the initial attacks exploiting CVE-2022-26134 appeared to come from China and focused on delivering web shells. Threat intelligence company GreyNoise has so far seen more than 1,700 unique IP addresses attempting to exploit the vulnerability. Microsoft named two groups that have been observed targeting CVE-2022-26134: DEV-0401 and DEV-0234. The former is a China-based ransomware operator that has been known to deploy various ransomware families, including LockFile, AtomSilo, and Rook. The researchers stated that in the attacks aimed at Confluence Server instances, they had seen the delivery of a piece of ransomware named Cerber2021.