Threat actors sell access to tens of vulnerable networks compromised by exploiting Atlassian 0day

Pierluigi Paganini June 26, 2022

A threat actor is selling access to 50 vulnerable networks that have been compromised exploiting the recently disclosed Atlassian Confluence zero-day.

A threat actor is selling access to 50 vulnerable networks that have been compromised by exploiting the recently discovered Atlassian Confluence zero-day flaw (CVE-2022-26134).

The discovery was made by the Rapid7 Threat Intelligence team and was disclosed by The Record. Access to the vulnerable networks was offered on the Russian-language forum XSS.

According to Rapid7 experts, the seller has a good reputation on the hacking forum, they also urge administrators to patch their installs. Rapid7 is attempting to identify the 50 companies and notify them.

At the end of May, Atlassian warned of a critical unpatched remote code execution vulnerability affecting all Confluence Server and Data Center supported versions, tracked as CVE-2022-26134, that is being actively exploited in attacks in the wild.

“Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available.” reads the advisory published by the company.

The vulnerability was reported by security firm Volexity which discovered the issue as part of an investigation into an attack that took over the Memorial Day weekend.

Back to Rapid7’s discovery, the bad news is that the seller that is offering access to the 50 networks also plans to sell access to a list of 10,000 additional vulnerable machines.

Organizations running confluence servers should also look for indicators of compromise within their networks to determine if they have been breached.

Ransomware gangs are actively exploiting CVE-2022-26134 remote code execution (RCE) flaw in Atlassian Confluence Server and Data Center.

Researchers from security firm Prodaft first reported that AvosLocker ransomware operators have already started exploiting the Atlassian Confluence bug, BleepingComputer reported.

The researchers noticed the creation of a “confluence campaign” in the control panel of the AvosLocker operation.

BleepingComputer also reported that operators behind Cerber2021 ransomware (aka CerberImposter) are actively exploiting the Confluence flaw in recent attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Atlassian)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment