Atlassian Confluence: ongoing attacks

September 6, 2021 · frtg · 2 min read

Atlassian Confluence is a web-based software platform designed as a shared workspace for employee collaboration on business activities and internal projects.

On 25 August, Atlassian released an update addressing a critical security vulnerability documented as CVE-2021-26084, recommending immediate application of the security patch available at the link. The CVE concerns a potential Remote Code Execution (RCE) vulnerability with a CVSS score of 9.8. The US Cyber Command (USCYBERCOM) also issued an advisory urging organizations to install the latest update to remediate this critical Atlassian Confluence vulnerability.
The vulnerability consists of an injection attack targeting Object-Graph Navigation Language (OGNL). Atlassian instances hosted on Cloud infrastructure are not affected by this vulnerability.

Following disclosure, multiple proof-of-concept exploits have been developed demonstrating how to leverage this vulnerability to achieve arbitrary remote code execution.

We tracked a compromise attempt against this application in a Linux environment, detected and contained without security impact. The risk was immediately mitigated through implementation of access restrictions on the affected server.

Active Compromise Operations

From 1 September onward, owing to the relative ease of exploitation, we observed large-scale scanning campaigns targeting identification and compromise of vulnerable systems.

The vulnerability has been exploited for deployment of cryptominers on both Windows and Linux systems.

Multiple commands and scripts have been identified for installation of XMRig (Monero mining):

Source: Atlassian Confluence flaw actively exploited to install cryptominers (bleepingcomputer.com)

Associated Risk Factors

The severity of this vulnerability is particularly elevated due to the sensitivity of data processed within such systems and the risk of more sophisticated attack chains including lateral movement across network infrastructure, data exfiltration (TA0010), and ransomware deployment. Organizations should prioritize patching efforts and implement network segmentation to limit the blast radius of potential compromise; our Cybersecurity Advisory services can assist in rapid vulnerability assessment and remediation prioritization across enterprise environments.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Active Compromise Operations

Associated Risk Factors

Cookie & Privacy