Vulnerable Linux servers with unpatched Atlassian Confluence Server and Data Center installations have been targeted by numerous botnets, according to BleepingComputer
GreyNoise reported that active exploitation of the Atlassian Confluence vulnerability, tracked as CVE-2022-26134,
has increased by tenfold since the emergence of proof-of-concept exploits. Three of the botnets, tracked as Kinsing, Dark.IoT, and Hezb, have been discovered by Lacework Labs researchers to have abused the flaw to facilitate backdoor and cryptominer deployment.
"Exploits involving Confluence are always popular among various threats including those targeting cloud. While Lacework Labs observed a lot of activity relative to other exploits, there is still low exposure compared to the more impactful 'coffee break' vulnerabilities such as those involving log4j or apache," said Lacework Labs.
Active exploitation of the zero-day has prompted the CISA to urge immediate blocking of all internet traffic to Confluence servers on all federal agencies' networks last week. Several security updates have also been issued by Atlassian to address the vulnerability.