Security News > 2022 > June > Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners

Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners
2022-06-17 21:11

A recently patched critical security flaw in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.

In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a crypto miner called z0miner on victim networks.

All supported versions of Confluence Server and Data Center are affected.

"The vulnerability, CVE-2022-26134, allows an attacker to spawn a remotely-accessible shell, in-memory, without writing anything to the server's local storage," Andrew Brandt, principal security researcher at Sophos, said.

The disclosure overlaps with similar warnings from Microsoft, which revealed last week that "Multiple adversaries and nation-state actors, including DEV-0401 and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134."

DEV-0401, described by Microsoft as a "China-based lone wolf turned LockBit 2.0 affiliate," has also been previously linked to ransomware deployments targeting internet-facing systems running VMWare Horizon, Confluence, and on-premises Exchange servers.


News URL

https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-06-03 CVE-2022-26134 Expression Language Injection vulnerability in Atlassian Confluence Data Center
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
network
low complexity
atlassian CWE-917
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Atlassian 58 56 275 59 36 426