Threat actors have been noted by the Cybersecurity and Infrastructure Security Agency to be exploiting a critical Atlassian BitBucket Server and Data Center vulnerability in their attacks, prompting the inclusion of the flaw in its Known Exploited Vulnerabilities Catalog, according to The Hacker News.
The command injection bug, tracked as CVE-2022-36804, could be leveraged by threat actors with public repository access or the necessary Bitbucket repository read permissions to facilitate arbitrary code execution.
"All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," said Atlassian in an advisory in late August.
While CISA did not provide more details on the process and extent of vulnerability exploitation, its inclusion in the KEV requires federal civilian executive branch agencies to address the bug by October 21.
Without the need for specialized audio equipment to conduct PIXHELL, threat actors could leverage social engineering and software supply chain attacks to distribute covert data exfiltration channel-triggering malware that would create an acoustic channel for the data.
Russian state-sponsored threat group Coldriver has been suspected by the Free Russia Foundation of being behind the intrusion, which involved the targeting of several entities to exfiltrate internal documents, grant reports, and other correspondences in retaliation against pro-democracy Russians
Simultaneous target infiltration and reconnaissance, network compromise, and data exfiltration activities have been performed by Clusters Alpha, Bravo, and Charlie, respectively.