Security News > 2023 > November > Critical Atlassian Confluence bug exploited in Cerber ransomware attacks
Attackers are exploiting a recently patched and critical severity Atlassian Confluence authentication bypass flaw to encrypt victims' files using Cerber ransomware.
Described by Atlassian as an improper authorization vulnerability and tracked as CVE-2023-22518, this bug received a 9.1/10 severity rating, and it affects all versions of Confluence Data Center and Confluence Server software.
Cybersecurity company Rapid7 also observed attacks against Internet-exposed Atlassian Confluence servers with exploits targeting the CVE-2023-22518 auth bypass and an older critical privilege escalation previously exploited as a zero-day.
"In multiple attack chains, Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server."
CISA, the FBI, and the Multi-State Information Sharing and Analysis Center issued a joint advisory last month, urging network administrators to immediately secure Atlassian Confluence servers against the actively exploited CVE-2023-22515 privilege escalation bug, which has been under active exploitation since at least September 14, according to a Microsoft report.
Cerber ransomware was also deployed in attacks targeting Atlassian Confluence servers two years ago using a remote code execution vulnerability, a bug previously exploited to install crypto-miners.
News URL
Related news
- French govt contractor Atos denies Space Bears ransomware attack claims (source)
- CISA warns of critical Oracle, Mitel flaws exploited in attacks (source)
- Casio says data of 8,500 people exposed in October ransomware attack (source)
- Preventing the next ransomware attack with help from AI (source)
- Ransomware on ESXi: The mechanization of virtualized attacks (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- OneBlood confirms personal data stolen in July ransomware attack (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- Enzo Biochem settles lawsuit over 2023 ransomware attack for $7.5M (source)
- Medusa ransomware group claims attack on UK's Gateshead Council (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-31 | CVE-2023-22518 | Incorrect Authorization vulnerability in Atlassian Confluence Data Center All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. | 9.8 |
| 2023-10-04 | CVE-2023-22515 | Unspecified vulnerability in Atlassian Confluence Data Center and Confluence Server Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. | 9.8 |