A serious security flaw in some versions of Atlassian Confluence Data Center and Server has been exploited by hackers.
They have used this flaw to create fake admin accounts and access Confluence servers. This flaw is called CVE-2023-22515, affecting Confluence versions from 8.0.0 to 8.19.1.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have warned network administrators to update their Confluence servers as soon as possible.
Using this flaw, they have also provided ways to detect and respond to attacks. Atlassian has released a patch for this flaw on October 4, 2023.
However, hackers exploited it before the patch was available, making it a zero-day attack. Atlassian Cloud sites are not affected by this flaw.
API security isn’t just a priority; it’s the lifeline of businesses and organizations. Yet, this interconnectivity brings with it an array of vulnerabilities that are often concealed beneath the surface.
The hackers have used a simple method to exploit this flaw. They have sent a request to the /server-info.action endpoint is open to anyone, and then the /setup/setupadministrator.action endpoint to create a new admin user.
This flaw is classified as a Broken Access Control vulnerability, meaning hackers can bypass the normal security checks. The hackers have accessed the Confluence servers and stolen data from them.
They have used tools like cURL and Rclone to download or upload data to other services. There may be other ways that hackers have used to steal data, but these are the ones observed so far.
What You Need To Do
This flaw is very dangerous and easy to exploit. CISA added it to its list of Known Exploited Vulnerabilities on October 5, 2023. If you are using an affected version of Confluence, you need to take action immediately.
The best way to protect your Confluence server is to update it to a fixed version or take it offline until you can do so. Atlassian has provided instructions on updating your server and which versions are fixed.
They have also suggested some temporary measures to block some of the attack vectors, but they are not enough to stop all attacks. If you find any evidence of an attack, you need to respond quickly and follow the incident response guidelines.
Organizations need to exercise caution and verify these IP addresses before taking any action, such as blocking them. Microsoft has also provided additional IP addresses associated with exploit traffic.
Detection and Incident Response
Network defenders are strongly encouraged to review and deploy Proofpoint’s Emerging Threat signatures and set up alerts for signs of exploitation.
Additionally, application and server-level logging from Confluence servers should be aggregated into a separate log search and alerting system to identify signs of exploitation.
Organizations are advised to take immediate action if they suspect or detect a compromise, including quarantining affected hosts, provisioning new account credentials, reimaging compromised hosts, and reporting the compromise to the relevant authorities.
Mitigations and Best Practices
To mitigate the risks associated with this vulnerability, CISA, FBI, and MS-ISAC recommend upgrading to fixed versions, mandating phishing-resistant multifactor authentication (MFA), and adhering to best cybersecurity practices in both production and enterprise environments.
These measures aim to bolster the secure posture of organizations while reducing the likelihood and impact of cyber risks.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.