{"id":3154,"date":"2021-09-06T12:02:30","date_gmt":"2021-09-06T10:02:30","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3154"},"modified":"2026-06-08T22:47:11","modified_gmt":"2026-06-08T22:47:11","slug":"atlassian-confluence-active-attacks","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/atlassian-confluence-active-attacks\/","title":{"rendered":"Atlassian Confluence: ongoing attacks"},"content":{"rendered":"\n<p style=\"text-align: justify\"><strong>Atlassian Confluence<\/strong> is a web-based software platform designed as a shared workspace for employee collaboration on business activities and internal projects.<\/p>\n<p style=\"text-align: justify\">On <strong>25 August<\/strong>, Atlassian released an update addressing a critical security vulnerability documented as <strong>CVE-2021-26084<\/strong>, recommending immediate application of the security patch available at the <a href=\"https:\/\/confluence.atlassian.com\/doc\/confluence-security-advisory-2021-08-25-1077906215.html\">link<\/a>. The CVE concerns a potential <strong>Remote Code Execution<\/strong> (RCE) vulnerability with a CVSS score of <strong>9.8<\/strong>. The <strong>US Cyber Command<\/strong> (USCYBERCOM) also issued an advisory urging organizations to install the latest update to remediate this critical Atlassian Confluence vulnerability.<br \/>The vulnerability consists of an <strong>injection<\/strong> attack targeting <strong>Object-Graph Navigation Language<\/strong> (OGNL). Atlassian instances hosted on Cloud infrastructure are not affected by this vulnerability.<\/p>\n<p style=\"text-align: justify\">Following disclosure, multiple <strong>proof-of-concept<\/strong> exploits have been developed demonstrating how to leverage this vulnerability to achieve arbitrary remote code execution.<\/p>\n<p style=\"text-align: justify\">We tracked a <strong>compromise attempt<\/strong> against this application in a <strong>Linux environment<\/strong>, detected and contained without security impact. The risk was immediately mitigated through implementation of access restrictions on the affected server.<\/p>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\">Active Compromise Operations<\/h3>\n\n\n\n<p style=\"text-align: justify\">From 1 September onward, owing to the relative ease of exploitation, we observed <strong>large-scale scanning campaigns<\/strong> targeting identification and <strong>compromise of vulnerable systems<\/strong>.<\/p>\n<p style=\"text-align: justify\">The vulnerability has been exploited for deployment of <strong>cryptominers<\/strong> on both <strong>Windows<\/strong> and <strong>Linux<\/strong> systems.<\/p>\n<p style=\"text-align: justify\">Multiple commands and scripts have been identified for installation of <strong>XMRig<\/strong> (Monero mining):<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/security\/c\/confluence\/rce-miners\/powershell-command.jpg\" alt=\"\" loading=\"lazy\" \/><figcaption>Source: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers\/\">Atlassian Confluence flaw actively exploited to install cryptominers (bleepingcomputer.com)<\/a><\/figcaption><\/figure>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">Associated Risk Factors<\/h2>\n\n\n\n<p style=\"text-align: justify\">The severity of this vulnerability is particularly elevated due to the <strong>sensitivity of data processed<\/strong> within such systems and the risk of more sophisticated attack chains including <strong>lateral movement<\/strong> across network infrastructure, <strong>data exfiltration<\/strong> (TA0010), and <strong>ransomware deployment<\/strong>. Organizations should prioritize patching efforts and implement network segmentation to limit the blast radius of potential compromise; our <a href=\"https:\/\/fortgale.com\/en\/cybersecurity-advisory\/\">Cybersecurity Advisory<\/a> services can assist in rapid vulnerability assessment and remediation prioritization across enterprise environments.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Active exploitation of Atlassian Confluence vulnerabilities: CVEs targeted, post-exploitation behaviour, IOCs observed and remediation steps for affected deployments.<\/p>\n","protected":false},"author":1,"featured_media":3175,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3210,3209,3149,3211],"class_list":["post-3154","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-active-exploitation","tag-atlassian-confluence","tag-patch-management","tag-web-application"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3154","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3154"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3154\/revisions"}],"predecessor-version":[{"id":9871,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3154\/revisions\/9871"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}