If you are the owner of a server, you are probably aware that several security researchers have identified a cloud-based adversary capitalizes on confluence servers and trying to gain access. The reason this type of attack is taking place is due to a vulnerability in the way Confluence RCE (Remote Code Execution) functions.
Exploiting a Confluence RCE vulnerability
Confluence is a web-based team collaboration platform that’s popular among large organizations. It used to build internal wikis and knowledge bases. But recently, attackers have been able to exploit a Confluence RCE vulnerability that could lead to the remote exploitation of arbitrary commands. This makes it an attractive target for the initial entry of an attacker into a corporate network.
The CVE-2022-26134 zero-day vulnerability used by attackers to run arbitrary code on a vulnerable Confluence Server. It can access through specially-crafted HTTP requests. The response header then read to allow the attacker to execute arbitrary commands.
Atlassian issued a security advisory to address the issue. It details the vulnerabilities and offers suggestions for mitigating the impact. It recommends updating to a recent version and disabling servers.
Malware
Earlier this week, a vulnerability in the Atlassian Confluence Server and Confluence Data Center exploited. This zero-day flaw allows unauthenticated remote attackers to execute privileged commands and potentially steal valuable information from systems. Specifically, it’s an RCE vulnerability that could allow attackers to install a web shell on the system, and even to take over domains.
A security advisory was issued by the company describing the vulnerability. The company said that the flaw is critical and should patched. The issue assigned a CVE, which means that it publicly tracked.
The flaw actively exploited in the wild. Researchers have identified dozens of IP addresses that have attempted to exploit the flaw. The attack appears to target, as evidenced by the fact that the attack was not attempting to pivot from one machine to another.
Ransomware
A zero-day flaw in the Atlassian Confluence Server has allowed hackers to take control of servers and deploy ransomware. The flaw used in attacks against both Linux and Windows systems. These attacks now abused to mine cryptocurrency.
The vulnerability, referred to as CVE-2022-26134, discovered by Volexity researchers. Volexity detected a suspicious intrusion at a customer location and reported the flaw to Atlassian. They then published a technical writeup on the issue and released a proof-of-concept exploit.
The Atlassian Confluence Server vulnerability allows an unauthenticated user to drop an in-memory-only Web shell on the server. Once the shell deployed, it gives the attacker a persistent backdoor. This is important because it lets the attacker launch arbitrary commands on the system. The shell can also used to drop other malware on the system.
Smart Links
Using Smart Links on Confluence Servers allows users to share information with colleagues. Embedded content is easy to use and brings the link’s content and experience into the Atlassian product. This provides users with the ideal overview without leaving the page.
For example, if you create a Jira Roadmap within your business project, you can embed it into Confluence. In the embeddable Roadmap, you can resize it to fit your page. You can also manage dependencies. This will help you maintain the flow of work and avoid data silos.
Confluence offers a wealth of templates, which you can use to boost your personal productivity and improve teamwork. These include annual review templates, weekly financial statements, and project kick-off templates. These templates allow you to ensure that your team’s content remains consistent, whether you’re working together in the same office or on different projects.
Monitoring and logging capabilities
Monitoring and logging capabilities of Confluence Servers are vital for knowing when connection and email delivery problems occur. In addition to monitoring, it is also important to understand the latencies involved in searching.
The Atlassian audit log is an excellent source for identifying issues and determining which settings configured correctly. However, it is not a foolproof method for determining whether a particular configuration is appropriate.
The best way to monitor Confluence is to use the JMX feature. This allows you to monitor your Confluence instance in real time. It does this in a similar fashion to existing application metrics, and it is even possible to configure the system to send specific entries to different log files.
The Java Management Extensions (JMX) feature can use to detect and diagnose performance problems, or to identify potential security risks. Using JMX, you can access a large array of metrics.
