Security News > 2022 > June > Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners
A recently patched critical security flaw in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.
In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a crypto miner called z0miner on victim networks.
All supported versions of Confluence Server and Data Center are affected.
"The vulnerability, CVE-2022-26134, allows an attacker to spawn a remotely-accessible shell, in-memory, without writing anything to the server's local storage," Andrew Brandt, principal security researcher at Sophos, said.
The disclosure overlaps with similar warnings from Microsoft, which revealed last week that "Multiple adversaries and nation-state actors, including DEV-0401 and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134."
DEV-0401, described by Microsoft as a "China-based lone wolf turned LockBit 2.0 affiliate," has also been previously linked to ransomware deployments targeting internet-facing systems running VMWare Horizon, Confluence, and on-premises Exchange servers.
News URL
https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-06-03 | CVE-2022-26134 | Expression Language Injection vulnerability in Atlassian Confluence Data Center In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. | 9.8 |