Security News > 2023 > November > Critical Atlassian Confluence bug exploited in Cerber ransomware attacks
Attackers are exploiting a recently patched and critical severity Atlassian Confluence authentication bypass flaw to encrypt victims' files using Cerber ransomware.
Described by Atlassian as an improper authorization vulnerability and tracked as CVE-2023-22518, this bug received a 9.1/10 severity rating, and it affects all versions of Confluence Data Center and Confluence Server software.
Cybersecurity company Rapid7 also observed attacks against Internet-exposed Atlassian Confluence servers with exploits targeting the CVE-2023-22518 auth bypass and an older critical privilege escalation previously exploited as a zero-day.
"In multiple attack chains, Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server."
CISA, the FBI, and the Multi-State Information Sharing and Analysis Center issued a joint advisory last month, urging network administrators to immediately secure Atlassian Confluence servers against the actively exploited CVE-2023-22515 privilege escalation bug, which has been under active exploitation since at least September 14, according to a Microsoft report.
Cerber ransomware was also deployed in attacks targeting Atlassian Confluence servers two years ago using a remote code execution vulnerability, a bug previously exploited to install crypto-miners.
News URL
Related news
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- CISA confirms critical Cleo bug exploitation in ransomware attacks (source)
- Massive PSAUX ransomware attack targets 22,000 CyberPanel instances (source)
- North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- City of Columbus: Data of 500,000 stolen in July ransomware attack (source)
- Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack (source)
- CISA warns of critical Palo Alto Networks bug exploited in attacks (source)
- Halliburton reports $35 million loss after ransomware attack (source)
- New Ymir ransomware partners with RustyStealer in attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-10-31 | CVE-2023-22518 | Incorrect Authorization vulnerability in Atlassian Confluence Data Center All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. | 9.8 |
2023-10-04 | CVE-2023-22515 | Unspecified vulnerability in Atlassian Confluence Data Center and Confluence Server Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. | 9.8 |