#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter

Atlassian Confluence | Breaking Cybersecurity News | The Hacker News

Hackers Targeting Unpatched Atlassian Confluence Servers to Deploy Crypto Miners

Hackers Targeting Unpatched Atlassian Confluence Servers to Deploy Crypto Miners

Sep 22, 2022
A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations. "If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment information stealers, remote access trojans (RATs), and ransomware," Trend Micro threat researcher Sunil Bharti  said  in a report. The issue, tracked as  CVE-2022-26134  (CVSS score: 9.8), was addressed by the Australian software company in June 2022. In one of the infection chains observed by the cybersecurity company, the flaw was leveraged to download and run a shell script ("ro.sh") on the victim's machine, which, in turn, fetched a second shell script ("ap.sh"). The malicious code is designed to update the  PATH variable  to include additional paths
Hackers Exploited Atlassian Confluence Bug to Deploy Ljl Backdoor for Espionage

Hackers Exploited Atlassian Confluence Bug to Deploy Ljl Backdoor for Espionage

Aug 04, 2022
A threat actor is said to have "highly likely" exploited a security flaw in an outdated Atlassian Confluence server to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector. The attack, which transpired over a seven-day-period during the end of May, has been attributed to a threat activity cluster tracked by cybersecurity firm Deepwatch as  TAC-040 . "The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian's Confluence directory," the company  said . "After the initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment." The Atlassian vulnerability suspected to have been exploited is  CVE-2022-26134 , an Object-Graph Navigation Language (OGNL) injection flaw that paves the way for arbitrary code execution on a Confluence Server or Data Center instance.
CISA Warns of Atlassian Confluence Hard-Coded Credential Bug Exploited in Attacks

CISA Warns of Atlassian Confluence Hard-Coded Credential Bug Exploited in Attacks

Jul 30, 2022
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday  added  the recently disclosed Atlassian security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The vulnerability, tracked as  CVE-2022-26138 , concerns the use of hard-coded credentials when the Questions For Confluence app is enabled in Confluence Server and Data Center instances. "A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group," CISA  notes  in its advisory. Depending on the page restrictions and the information a company has in Confluence, successful exploitation of the shortcoming could lead to the disclosure of sensitive information. Although the bug was addressed by the Australian software company last week in versions 2.7.38 and 3.0.5, it has since come under active exploitation , cybersecurity firm Rapid7 disclosed this week. &qu
Latest Critical Atlassian Confluence Vulnerability Under Active Exploitation

Latest Critical Atlassian Confluence Vulnerability Under Active Exploitation

Jul 29, 2022
A week after Atlassian rolled out patches to contain a critical flaw in its Questions For Confluence app for Confluence Server and Confluence Data Center, the shortcoming has now come under active exploitation in the wild. The bug in question is  CVE-2022-26138 , which concerns the use of a hard-coded password in the app that could be exploited by a remote, unauthenticated attacker to gain unrestricted access to all pages in Confluence. The real-world exploitation follows the release of the hard-coded credentials on Twitter, prompting the Australian software company to prioritize patches to mitigate potential threats targeting the flaw. "Unsurprisingly, it didn't take long [...] to observe exploitation once the hard-coded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks," Rapid7 security researcher Glenn Thorpe  said . It's worth noting that the bug only exists
Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability

Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability

Jul 21, 2022
Atlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting  the Questions For Confluence  app for Confluence Server and Confluence Data Center. The flaw, tracked as CVE-2022-26138 , arises when the app in question is enabled on either of two services, causing it to create a Confluence user account with the username "disabledsystemuser." While this account, Atlassian says, is to help administrators migrate data from the app to Confluence Cloud, it's also created with a hard-coded password, effectively allowing viewing and editing all non-restricted pages within Confluence by default. "A remote, unauthenticated attacker with knowledge of the hard-coded password could exploit this to log into Confluence and access any pages the  confluence-users group  has access to," the company  said  in an advisory, adding that "the hard-coded password is trivial to obtain after downloading an
Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners

Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners

Jun 18, 2022
A recently patched  critical security flaw  in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads. In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a  crypto miner  called z0miner on victim networks. The bug ( CVE-2022-26134 , CVSS score: 9.8), which was  patched  by Atlassian on June 3, 2022, enables an unauthenticated actor to inject malicious code that paves the way of remote code execution (RCE) on affected installations of the collaboration suite. All supported versions of Confluence Server and Data Center are affected. Other notable malware pushed as part of disparate instances of attack activity include Mirai and Kinsing bot variants, a rogue package called  pwnkit , and Cobalt Strike by way of a web shell deployed after gaining an initial foothold into the
Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild

Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild

Jun 04, 2022
Atlassian on Friday rolled out fixes to address a  critical security flaw  affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution. Tracked as  CVE-2022-26134 , the issue is similar to  CVE-2021-26084  — another security flaw the Australian software company patched in August 2021. Both relate to a case of Object-Graph Navigation Language ( OGNL ) injection that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance. The newly discovered shortcoming impacts all supported versions of Confluence Server and Data Center, with every version after 1.3.0 also affected. It's been resolved in the following versions - 7.4.17 7.13.7 7.14.3 7.15.2 7.16.4 7.17.4 7.18.1 According to stats from internet asset discovery platform  Censys , there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluenc
Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability

Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability

Jun 03, 2022
Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild. The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as  CVE-2022-26134 . "Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server," it  said  in an advisory. "There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix." Specifics of the security flaw have been withheld until a software patch is available. All supported versions of Confluence Server and Data Center are affected, although it's expected that all versions of the enterprise solution are potentially vulnerable. The earliest impacted version is
Atlassian Confluence RCE Flaw Abused in Multiple Cyberattack Campaigns

Atlassian Confluence RCE Flaw Abused in Multiple Cyberattack Campaigns

Sep 28, 2021
Opportunistic threat actors have been found actively exploiting a recently disclosed critical security flaw in Atlassian Confluence deployments across Windows and Linux to deploy web shells that result in the execution of crypto miners on compromised systems. Tracked as  CVE-2021-26084  (CVSS score: 9.8), the vulnerability concerns an OGNL (Object-Graph Navigation Language) injection flaw that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance. "A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server," researchers from Trend Micro  noted  in a technical write-up detailing the weakness. "Successful exploitation can result in arbitrary code execution in the security context of the affected server." The vulnerability, which resides in the Webwork module of Atlassian Confluence Server and Data Center, stems from an insufficient valid
Latest Atlassian Confluence Flaw Exploited to Breach Jenkins Project Server

Latest Atlassian Confluence Flaw Exploited to Breach Jenkins Project Server

Sep 07, 2021
The maintainers of Jenkins—a popular open-source automation server software—have disclosed a security breach after unidentified threat actors gained access to one of their servers by exploiting a recently disclosed vulnerability in Atlassian Confluence service to install a cryptocurrency miner. The "successful attack," which is believed to have occurred last week, was mounted against its Confluence service that had been deprecated since October 2019, leading the team to take the server offline, rotate privileged credentials, and reset passwords for developer accounts. "At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected," the company  said  in a statement published over the weekend. The disclosure comes as the U.S. Cyber Command  warned  of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments. Tracked as CVE-2
U.S. Cyber Command Warns of Ongoing Attacks Exploiting Atlassian Confluence Flaw

U.S. Cyber Command Warns of Ongoing Attacks Exploiting Atlassian Confluence Flaw

Sep 04, 2021
The U.S. Cyber Command on Friday warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments that could be abused by unauthenticated attackers to take control of a vulnerable system. "Mass exploitation of Atlassian Confluence  CVE-2021-26084  is ongoing and expected to accelerate," the Cyber National Mission Force (CNMF)  said  in a tweet. The warning was also echoed by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) and  Atlassian itself  in a series of independent advisories. Bad Packets  noted  on Twitter it "detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the U.S. targeting Atlassian Confluence servers vulnerable to remote code execution." Atlassian Confluence is a widely popular web-based documentation service that allows teams to create, collaborate, and organize on different proj
More Resources

Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.