The first in-the-wild exploitation attempts targeting a recent vulnerability in Atlassian Confluence Data Center and Confluence Server were observed over the weekend, threat intelligence firm GreyNoise warns.

Patched a week ago, the critical security defect tracked as CVE-2023-22518 (CVSS score of 9.1) is an improper authorization flaw that could lead to “significant data loss”, Atlassian warned. The issue impacts all Confluence versions.

Less than five days after releasing the patch, Atlassian issued a second warning, informing customers that “critical information about the vulnerability” had been made public, and that the risk of exploitation had increased significantly.

The enterprise software maker issued the fresh alert on the same day that ProjectDiscovery published technical information on the flaw, along with details on potential exploitation methods.

On Friday, Atlassian updated its initial advisory again, to warn that the vulnerability is under active exploitation.

“We received a customer report of an active exploit. Customers must take immediate action to protect their instances. If you already applied the patch, no further action is required,” the company’s updated advisory reads.

Over the weekend, GreyNoise’s scanners caught in-the-wild exploitation of CVE-2023-22518 targeting organizations in the US, Taiwan, Ukraine, Georgia, Latvia, and Moldova.

Attacks were originating from three different IP addresses, GreyNoise CEO and founder Andrew Morris pointed out on Sunday.

While the issue cannot be exploited to exfiltrate data from vulnerable Confluence servers, it could be used to replace the state of an instance to attacker-supplied data, without authentication.

Rapid7 too has observed multiple attempts to exploit web-accessible Confluence servers and says that at least some of the attacks targeted CVE-2023-22518, while others targeted CVE-2023-22515, a critical Confluence zero-day that came to light on October 4. 

“The process execution chain, for the most part, is consistent across multiple environments, indicating possible mass exploitation of vulnerable internet-facing Atlassian Confluence servers,” Rapid7 notes in a November 6 post.

Multiple attack chains, the cybersecurity firm notes, involved the post-exploitation execution of commands to download a malicious payload, leading to a Cerberus ransomware infection. 

Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1 were released last week to address CVE-2023-22518. All users are advised to update their instances as soon as possible or at least create backups and block internet access to vulnerable instances until patches are applied.

*Updated with information from Rapid7

Related: US Gov Expects Widespread Exploitation of Atlassian Confluence Vulnerability

Related: Microsoft Blames Nation-State Threat Actor for Confluence Zero-Day Attacks

Related: Atlassian Patches Remote Code Execution Vulnerabilities in Confluence, Bamboo

https://www.securityweek.com/exploitation-of-critical-confluence-vulnerability-begins/

Ott 20, 2023 Marina Londei Attacchi, Hacking, News, RSS 0

---

L’Ukrainian Cyber Alliance (UCA), comunità di cyber hacktivisti ucraini, ha annunciato di aver hackerato i server di Trigona, un gruppo ransomware di presunta affiliazione russa che, a partire da ottobre 2022, ha colpito numerose organizzazioni intorno al mondo, anche in Italia.

La UCA, nata nel 2014 dall’unione degli hacktivisti FalconsFlame e Trinity, conta membri ucraini in tutto il mondo. L’alleanza è nata per difendere l’indipendenza dell’Ucraina e garantirne l’integrità territoriale, scopi ribaditi più volte dall’organizzazione.

Come riportato da BleepingComputer, in contatto con gli hacktivisti, l’alleanza ucraina ha sottratto tutti i dati dai server, incluso il codice sorgente del ransomware e i record del database.

Gli hacktivisti sarebbero riusciti a penetrare nell’infrastruttura di Trigona sfruttando la CVE-2023-22515, una vulnerabilità critica che colpisce Confluence Data Center e Server e consente l’escalation dei privilegi, già sfruttata dal gruppo APT Storm-0062.

L’attacco è avvenuto il 12 ottobre e, stando alle parole degli hacktivisti, il gruppo ransomware avrebbe subito cambiato la password di sistema e disattivato l’infrastruttura pubblica; nonostante ciò, nei giorni successivi la UCA è riuscita a ottenere tutte le informazioni presenti sul server, accedere agli hot wallet di criptovalute e prendere il controllo dei tool interni usati dal gruppo.

Non è chiaro se tra i dati sottratti ci siano anche le chiavi di decrittazione: l’UCA sta ancora analizzando il contenuto delle informazioni. Nel caso trovasse le chiavi, il gruppo di hacktivisti ha affermato che le renderà pubbliche.

Dopo l’attacco l’UCA ha cancellato tutti i siti web di Trigona. Il gruppo ha anche dichiarato di aver recuperato tre diversi backup relativi a documenti rubati alle vittime. 

---

---

---

https://www.securityinfo.it/2023/10/20/gli-hacktivisti-ucraini-hanno-smantellato-i-server-di-trigona/?utm_source=rss&utm_medium=rss&utm_campaign=gli-hacktivisti-ucraini-hanno-smantellato-i-server-di-trigona

Ott 13, 2023 Marina Londei Apt, Intrusione, Minacce, News, RSS, Vulnerabilità 0

---

I ricercatori di Microsoft Threat Intelligence hanno rilevato lo sfruttamento di una vulnerabilità critica di Atlassian Confluence Center and Confluence Server da parte di Storm-0062. Il team di sicurezza lo ha annunciato con una serie di post su X spiegando che il gruppo ha cominciato a sfruttare il bug da metà settembre.

La vulnerabilità (CVE-2023-25515) è considerata di livello critico e consente a un attaccante di creare account amministrativi per accedere alle istanze Confluence e sottrarre informazioni sensibili. Atlassian ha confermato che alcuni dei suoi clienti sono stati colpiti dal gruppo, ma non ha specificato la portata effettiva degli attacchi.

Il bug colpisce le versioni 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.1, 8.1.3, 8.2.1, 8.1.4, 8.2.2, 8.2.3, 8.3.1, 8.3.2, 8.4.1, 8.4.2, 8.5.1 delle istanze. Tutte le versioni precedenti alla 8.0.0 non sono vulnerabili. 

Storm-0062

Dietro agli attacchi ai clienti Atlassian c’è Storm-0062, un gruppo APT cinese che agisce negli interessi del governo. Il gruppo è conosciuto anche come DarkShadow e Oro0lxy. Più che di “gruppo” è in realtà corretto parlare di “duo”, visto che Storm-0062 è composto solo da due persone, tali Li Xiaoyu e Dong Jiazhi.

I due sono in attività da molti anni, almeno dal 2009 secondo quanto riportato da DarkReading. Il duo era stato indagato dal Dipartimento di Giustizia statunitense nel 2020 per aver cercato vulnerabilità nelle reti di compagnie che sviluppavano vaccini per il COVID-19 e studiavano nuovi trattamenti per il virus.

Atlassian ha già rilasciato la patch di sicurezza per la vulnerabilità e ha invitato gli utenti a installarla il prima possibile. Le versioni non vulnerabili sono la 8.3.3 e successive, la 8.4.3 e successive e la 8.5.2 e successive. Nel caso non fosse possibile aggiornare immediatamente le istanze, è consigliabile isolarle dalle reti pubbliche finché non verrà applicato il fix.

---

---

---

https://www.securityinfo.it/2023/10/13/un-gruppo-apt-cinese-ha-sfruttato-una-vulnerabilita-critica-di-atlassian-confluence/?utm_source=rss&utm_medium=rss&utm_campaign=un-gruppo-apt-cinese-ha-sfruttato-una-vulnerabilita-critica-di-atlassian-confluence

Researchers at Microsoft say a known nation-state threat actor is behind the zero-day exploits hitting Atlassian’s Confluence Data Center and Server products.

A note from Redmond linked the ongoing attacks to an APT group tracked as Storm-0062 and warned that malicious activity dates back to September 14, a full three weeks before Atlassian’s public disclosure of the issue.

“Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy,” the company said.

According to SecurityWeek sources, the Storm-0062 hacking team has been observed conducting cyberespionage operations for  China’s Ministry of State Security, a state intelligence agency.

Microsoft shared four IP addresses that were seen sending related exploit traffic targeting the critical CVE-2023-22515 privilege escalation vulnerability. 

“Any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application,” Microsoft said, confirming earlier warnings from Atlassian that patches should be applied with urgency.

“Organizations with vulnerable Confluence applications should upgrade as soon as possible to a fixed version: 8.3.3, 8.4.3, or 8.5.2 or later. Organizations should isolate vulnerable Confluence applications from the public internet until they are able to upgrade them,” the company added.

Atlassian updated its own advisory to confirm it has evidence that a known nation-state actor is actively exploiting the bug.

On October 4, Atlassian rushed out an urgent patch for the issue alongside a notice that “a handful of customers” were hit by remote exploits.

“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” the Australian company said.

The vulnerability, tracked as CVE-2023-22515, is described as a remotely exploitable privilege escalation issue affecting on-prem instances of Confluence Server and Confluence Data Center.

“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously,” Atlassian warned. “If an instance has already been compromised, upgrading will not remove the compromise.”

Atlassian published an FAQ urging business users to immediately check all affected Confluence instances for the following indicators of compromise:

• Unexpected members of the confluence-administrator group
• Unexpected newly created user accounts
• Requests to /setup/*.action in network access logs
• Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

“If it is determined that your instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet. Also, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system,” Atlassian added.

Security problems in Atlassian’s software products have been targeted in the past by both cybercriminal and state-sponsored threat actors. In CISA’s KEV (Known Exploited Vulnerabilities) catalog, there are six distinct Confluence vulnerabilities marked for urgent attention.

Related: Atlassian Ships Urgent Patch for Exploited Confluence Zero-Day

Related: Atlassian Patches Critical Bitbucket Security Defect

Related: Expects Confluence App Exploitation After Password Leak

Related: Atlassian Patches Remote Vulnerabilities in Confluence, Bamboo

Related: Cybercriminals, State-Sponsored APTs Exploiting Confluence Flaw

https://www.securityweek.com/microsoft-blames-nation-state-threat-actor-for-confluence-zero-day-attacks/

Business software maker Atlassian on Wednesday called immediate attention to a major security defect in its Confluence Data Center and Server products and warned that the issue has already been exploited as zero-day in the wild.

An urgent advisory from Atlassian confirms that “a handful of customers” were hit by exploits targeting a remotely exploitable flaw in Confluence Data Center and Server instances.

“Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” the Australian company said.

The vulnerability, tracked as CVE-2023-22515, is described as a remotely exploitable privilege escalation issue  affecting on-prem instances of Confluence Server and Confluence Data Center.

“Instances on the public internet are particularly at risk, as this vulnerability is exploitable anonymously,” Atlassian warned.  “If an instance has already been compromised, upgrading will not remove the compromise.”

The company said Atlassian Cloud sites are not vulnerable to this issue.

Security vendor Rapid7 is underscoring the urgency for businesses to apply available patches and mitigations.

“Atlassian’s advisory implies that the vulnerability is remotely exploitable, which is typically more consistent with an authentication bypass or remote code execution chain than a privilege escalation issue by itself,” Rapid7’s Caitlin Condon said. 

Atlassian has published an FAQ urging business users to immediately check all affected Confluence instances for the following indicators of compromise:

• Unexpected members of the confluence-administrator group
• Unexpected newly created user accounts
• Requests to /setup/*.action in network access logs
• Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

“If it is determined that your instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet. Also, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system,” Atlassian added.

Security problems in Atlassian’s software products have been targeted in the past by both cybercriminal and state-sponsored threat actors. In CISA’s KEV (Known Exploited Vulnerabilities) catalog, there are six distinct Confluence vulnerabilities marked for urgent attention.

Related: Atlassian Ships Urgent Patch for Critical Bitbucket Flaw

Related: Expects Confluence App Exploitation After Password Leak

Related: Atlassian Patches Remote Vulnerabilities in Confluence, Bamboo

Related: Cybercriminals, State-Sponsored APTs Exploiting Confluence Flaw

https://www.securityweek.com/atlassian-ships-urgent-patch-for-exploited-confluence-zero-day/

Atlassian has released patches for two remote code execution (RCE) vulnerabilities in Confluence Data Center and Server and another in Bamboo Data Center.

The most severe of these issues, tracked as CVE-2023-22508 (CVSS score of 8.5), was introduced in Confluence version 7.4.0. The second bug, tracked as CVE-2023-22505 (CVSS score of 8.0), was introduced in Confluence version 8.0.0.

Exploitation of both vulnerabilities could allow an attacker to execute arbitrary code with impact on confidentiality, integrity, and availability. No user interaction is required for exploitation, but the attacker needs to be authenticated as a valid user.

Both flaws were addressed with the release of Confluence versions 8.3.2 and 8.4.0. Customers unable to upgrade to one of these versions should at least update to version 8.2.0, which patches CVE-2023-22508.

According to Atlassian, both vulnerabilities were discovered by private users and reported via the company’s bug bounty program.

The company also announced patches for CVE-2023-22506 (CVSS score of 7.5), a high-severity RCE bug in Bamboo Data Center. Introduced in version 8.0.0 of Bamboo, the vulnerability was addressed in versions 9.2.3 and 9.3.1 of the enterprise solution.

“This injection and RCE vulnerability allows an authenticated attacker to modify the actions taken by a system call and execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction,” Atlassian explains.

Atlassian notes in its advisory that the newly discovered flaws are the result of an expanded scope of its vulnerability disclosure policies, previously focused on first-party, critical-severity bugs.

“While this change results in an increase of visibility and disclosures, it does not mean there are more vulnerabilities. Rather, that we are taking a more proactive approach to vulnerability transparency and are committed to providing our customers with the information they need to make informed decisions about updating our products,” the company says.

Users and administrators are encouraged to apply the available patches as soon as possible. Successful exploitation of these bugs could lead to system takeover, the US Cybersecurity and Infrastructure Security Agency (CISA) notes.

Atlassian makes no mention of any of these issues being exploited in attacks.

Related: Atlassian Warns of Critical Jira Service Management Vulnerability

Related: Exploitation of Recent Confluence Vulnerability Underway

Related: Jira Align Vulnerabilities Exposed Atlassian Infrastructure to Attacks

https://www.securityweek.com/atlassian-patches-remote-code-execution-vulnerabilities-in-confluence-bamboo/

What’s worse than a widely used Internet-connected enterprise app with a hardcoded password? Try said enterprise app after the hardcoded password has been leaked to the world.

Atlassian on Wednesday revealed three critical product vulnerabilities, including CVE-2022-26138 stemming from a hardcoded password in Questions for Confluence, an app that allows users to quickly receive support for common questions involving Atlassian products. The company warned the passcode was “trivial to obtain.”

The company said that Questions for Confluence had 8,055 installations at the time of publication. When installed, the app creates a Confluence user account named disabledsystemuser, which is intended to help admins move data between the app and the Confluence Cloud service. The hardcoded password protecting this account allows for viewing and editing of all non-restricted pages within Confluence.

“A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to,” the company said. “It is important to remediate this vulnerability on affected systems immediately.”

A day later, Atlassian was back to report that “an external party has discovered and publicly disclosed the hardcoded password on Twitter,” leading the company to ratchet up its warnings.

“This issue is likely to be exploited in the wild now that the hardcoded password is publicly known,” the updated advisory read. “This vulnerability should be remediated on affected systems immediately.”

The company warned that even when Confluence installations don’t actively have the app installed, they may still be vulnerable. Uninstalling the app doesn’t automatically remediate the vulnerability because the disabledsystemuser account can still reside on the system.

To figure out if a system is vulnerable, Atlassian advised Confluence users to search for accounts with the following information:

• User: disabledsystemuser
• Username: disabledsystemuser
• Email: dontdeletethisuser@email.com

Atlassian provided more instructions for locating such accounts here. The vulnerability affects Questions for Confluence versions 2.7.x and 3.0.x. Atlassian provided two ways for customers to fix the issue: disable or remove the “disabledsystemuser” account. The company has also published this list of answers to frequently asked questions.

Confluence users looking for exploitation evidence can check the last authentication time for disabledsystemuser using the instructions here. If the result is null, the account exists on the system, but no one has yet signed in using it. The commands also show any recent login attempts that were successful or unsuccessful.

“Now that the patches are out, one can expect patch diff and reversing engineering efforts to produce a public POC in a fairly short time,” Casey Ellis, founder of vulnerability reporting service Bugcrowd, wrote in a direct message. “Atlassian shops should get on to patching public-facing products immediately, and those behind the firewall as quickly as possible. The comments in the advisory recommending against proxy filtering as mitigation suggest that there are multiple trigger pathways.

The other two vulnerabilities Atlassian disclosed on Wednesday are also serious, affecting the following products:

• Bamboo Server and Data Center
• Bitbucket Server and Data Center
• Confluence Server and Data Center
• Crowd Server and Data Center
• Crucible
• Fisheye
• Jira Server and Data Center
• Jira Service Management Server and Data Center

Tracked as CVE-2022-26136 and CVE-2022-26137, these vulnerabilities make it possible for remote, unauthenticated hackers to bypass Servlet Filters used by first- and third-party apps.

“The impact depends on which filters are used by each app, and how the filters are used,” the company said. “Atlassian has released updates that fix the root cause of this vulnerability but has not exhaustively enumerated all potential consequences of this vulnerability.”

Vulnerable Confluence servers have long been a favorite opening for hackers looking to install ransomware, cryptominers, and other forms of malware. The vulnerabilities Atlassian disclosed this week are serious enough that admins should prioritize a thorough review of their systems, ideally before the weekend starts.

https://arstechnica.com/?p=1868878