On September 3, 2021, USCYBERCOM issued an alert related to mass exploitation of an Atlassian Confluence Server and Data Center vulnerability, CVE-2021-26084. The threat is ongoing and expected to accelerate.

Atlassian Confluence is a popular web-based corporate team workspace designed to help employees collaborate on various projects.
Successful exploitation of this vulnerability could allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. Depending on the privileges associated with the instance, an attacker could view, change, or delete data.
On August 25, 2021, Atlassian issued security updates to address the actively exploited Confluence remote code execution (RCE) vulnerability tracked as CVE-2021-26084 and enabling unauthenticated attackers to execute commands on a vulnerable server remotely.
Multiple threat actors began scanning for and exploiting this recently disclosed Confluence vulnerability to install crypto miners after a PoC exploit was publicly released six days after Atlassian's patches were issued.
Cybersecurity intelligence firm Bad Packets also spotted threat actors from multiple countries deploying and launching PowerShell or Linux shell scripts on compromised Confluence servers.
Even though these attackers are currently only deploying cryptocurrency miners, attacks can quickly escalate if the threat actors start moving laterally through corporate networks from compromised on-prem Confluence servers to drop ransomware payloads and exfiltrate data.
View the entire report below.
|