Threat actors have begun exploiting a recently patched Confluence Data Center and Server vulnerability to distribute Cerber ransomware, prompting developer Atlassian to elevate the bug to the maximum possible severity rating.
Atlassian disclosed the improper authorization vulnerability (tracked as CVE-2023-22518) and issued patches on Oct. 31. The bug was initially given a critical CVSS v3 rating of 9.1.
While there were no reports of the flaw being exploited at that time, Atlassian’s chief information security officer (CISO), Bala Sathiamurthy, warned customers who did not take steps to protect their instances could be “vulnerable to significant data loss” if exploits were to occur.
On Nov. 2 Atlassian said it had observed “publicly posted critical information about the vulnerability which increases risk of exploitation.” The following day the company said it had received a customer report of an active exploit, and again urged Confluence users to take immediate steps to protect their instances.
In a Nov. 6 blog post, Rapid7 said its managed detection and response (MDR) unit had observed Confluence being exploited in a number of environments, with at least some of the exploits targeting CVE-2023-22518.
“The process execution chain, for the most part, is consistent across multiple environments, indicating possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers,” Rapid7’s researchers said in the post.
“In multiple attack chains, Rapid7 observed post-exploitation command execution to download a malicious payload hosted at 193.43.72[.]11 and/or 193.176.179[.]41, which, if successful, led to single-system Cerber ransomware deployment on the exploited Confluence server.”
Greynoise also observed threat actors attempting to exploit the vulnerability.
Cerber ransomware first appeared in 2016 and, at its peak in 2017, dominated the ransomware landscape together with WannaCry. Cerber is available to threat actors on a ransomware-as-a-service basis.
Rapid7 echoed Atlassian’s advice that Confluence users should update to a fixed version of the product “on an emergency basis” and restrict external access to the application at least until they are able to remediate.
In a Nov. 6 update to its security advisory about the vulnerability, Atlassian said in light of the observed attacks and reports of threat actors using ransomware, it had “escalated CVE-2023-22518 from CVSS 9.1 to 10, the highest critical rating, due to the change in the scope of the attack.”
Atlassian said all versions of Confluence Server and Confluence Data Center are at risk from the vulnerability which could be remediated by migrating to one of the fixed versions: 7.19.16, 8.3.4, 8.4.4, 8.5.3, or 8.6.1.
The company said users of its Atlassian Cloud service were not affected by the bug. “If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.”
In mid-October, government and cyber authorities reported that threat actors exploited another critical vulnerability in Confluence Data Center and Server.
That vulnerability — CVE-2023-22515 (CVSS v3 rating 9.8) — had been reportedly exploited by the Chinese-backed threat actor Microsoft tracks at Storm-0062 since Sept. 14, roughly two weeks before Atlassian released patches for it. The bug enabled remote creation of Confluence admin accounts.