IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Exploitation of Atlassian Confluence zero-day surges fifteen-fold in 24 hours

The zero-day code execution vulnerability was discovered last week and cyber attackers are already capitalising on the proof-of-concept code

The exploitation of a critical-severity remote code execution (RCE) zero-day flaw in Atlassian Confluence Server and Data Center has increased by nearly fifteen times in the two days since active attacks were first registered.

Experts at internet security firm GreyNoise said the number of unique IP addresses launching attacks using the RCE flaw, tracked as CVE-2022-26134, has risen from 28 to 400 since Friday when exploitation began.

Cyber security company Volexity first reported that it discovered the RCE vulnerability over the US’ Memorial Day weekend (28-30 May) after noticing suspicious activity on two internet-facing web servers.

It was assigned a CVE tracking code on 31 May and Volexity published its findings last week, with a clear rise in active exploits on current versions following a day after, on 3 June.

Atlassian released a patch for the unauthenticated RCE flaw on Friday, urging all customers to upgrade to the latest version to avoid being targeted by attackers with access to proof-of-concept (PoC) exploit code.

According to Atlassian, the company has released the following new Confluence versions that all contain a fix for the security issue:

  • 7.4.17
  • 7.13.7
  • 7.14.3
  • 7.15.2
  • 7.16.4
  • 7.17.4
  • 7.18.1

Admins who are unable to upgrade to the latest versions of Confluence are advised to mitigate the flaw with a workaround which involves updating several specific .JAR files. More information and full instructions can be found via Atlassian’s security advisory.

An analysis of the situation by Unit 42 revealed nearly 20,00 Confluence servers found to be potentially affected by the exploit as of last week, with most of the victims residing either in the US, German, Russia, and China.

It also said there was evidence of early exploitation as far back as 26 May with targets across various industries.

Volexity said in its initial analysis that early exploits seemed to be conducted by multiple threat actors likely to be operating out of China.

Deconstructing the zero-day

Volexity’s initial analysis of the zero-day’s exploitation revealed that attackers were using the vulnerability to drop several malicious implants in the form of web shells on victims’ environments.

Attackers were using the open-source Behinder web server implant previously linked to Chinese threat actors by Avast.

“Behinder provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with Meterpreter and Cobalt Strike,” said Volexity. “This method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out.

Related Resource

Unified endpoint management solutions 2021-22

Analysing the UEM landscape

Whitepaper cover with title on shaded pink/purple backgroundFree Download

“Once Behinder was deployed, the attacker used the in-memory web shell to deploy two additional web shells to disk: China Chopper and a custom file upload shell.”

The researchers noted that China Chopper was installed but was rarely accessed, according to web logs, leading them to the conclusion that it was installed simply as a means of secondary access.

Delving further into the web logs, Volexity also discovered the commonly executed commands made by the attackers once they had access.

Among these were reconnaissance commands - checking the operating system version and examining the contents of password files. 

Attackers then looked for user tables from the Confluence database and dumped them before attempting to deploy anti-analysis tactics by altering web logs to remove evidence of exploitation.

They also wrote additional web shells to the victims’ disks, but not all of these could be recovered, Volexity said.

Specific details regarding how the exploit takes place have not been made public, but Tenable said that past attacks on Atlassian Confluence have involved sending specially crafted requests to vulnerable Confluence Server or Data Center instances to execute code and fully take over the system.

One of the most recent examples of attacks on Confluence came less than a year ago when the US Cyber Command warned of a highly exploitable flaw that led to code execution. 

That security incident came three months after a separate one-click flaw was found to affect Atlassian Jira, the company’s bug-tracking and project management tool, that allowed hackers to steal sensitive information.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download


Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022