Security News > 2023 > November > Critical Atlassian Confluence bug exploited in Cerber ransomware attacks
Attackers are exploiting a recently patched and critical severity Atlassian Confluence authentication bypass flaw to encrypt victims' files using Cerber ransomware.
Described by Atlassian as an improper authorization vulnerability and tracked as CVE-2023-22518, this bug received a 9.1/10 severity rating, and it affects all versions of Confluence Data Center and Confluence Server software.
Cybersecurity company Rapid7 also observed attacks against Internet-exposed Atlassian Confluence servers with exploits targeting the CVE-2023-22518 auth bypass and an older critical privilege escalation previously exploited as a zero-day.
"In multiple attack chains, Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server."
CISA, the FBI, and the Multi-State Information Sharing and Analysis Center issued a joint advisory last month, urging network administrators to immediately secure Atlassian Confluence servers against the actively exploited CVE-2023-22515 privilege escalation bug, which has been under active exploitation since at least September 14, according to a Microsoft report.
Cerber ransomware was also deployed in attacks targeting Atlassian Confluence servers two years ago using a remote code execution vulnerability, a bug previously exploited to install crypto-miners.
News URL
Related news
- Critical SonicWall SSLVPN bug exploited in ransomware attacks (source)
- NoName ransomware gang deploying RansomHub malware in recent attacks (source)
- Port of Seattle hit by Rhysida ransomware in August attack (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- Ivanti warns of another critical CSA flaw exploited in attacks (source)
- MFA bypass becomes a critical security issue as ransomware tactics advance (source)
- Critical Ivanti vTM auth bypass bug now exploited in attacks (source)
- AutoCanada says ransomware attack "may" impact employee data (source)
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks (source)
- Embargo ransomware escalates attacks to cloud environments (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-31 | CVE-2023-22518 | Incorrect Authorization vulnerability in Atlassian Confluence Data Center All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. | 9.8 |
| 2023-10-04 | CVE-2023-22515 | Unspecified vulnerability in Atlassian Confluence Data Center and Confluence Server Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. | 9.8 |