US Cyber Command (USCYBERCOM) has issued a rare alert today urging US organizations to patch a massively exploited Atlassian Confluence critical vulnerability immediately.
“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate,” said Cyber National Mission Force (CNMF).
The USCYBERCOM unit also stressed the importance of patching vulnerable Confluence servers as soon as possible: “Please patch immediately if you haven’t already— this cannot wait until after the weekend.”
This warning comes after Deputy National Security Advisor Anne Neuberger encouraged organizations “to be on guard for malicious cyberactivity in advance of the holiday weekend” during a Thursday White House press briefing.
It’s the second alert of this kind in the last 12 months, the previous one (from June) notifying that CISA was aware that threat actors might attempt to exploit a remote code execution vulnerability affecting all vCenter Server installs.
CISA also urged users and admins today to immediately apply the Confluence security updates recently issued by Atlassian.
— U.S. Cyber Command (@US_CYBERCOM) September 3, 2021
Atlassian Confluence is a highly popular web-based corporate team workspace designed to help employees collaborate on various projects.
On August 25, Atlassian issued security updates to address the actively exploited Confluence remote code execution (RCE) vulnerability tracked as CVE-2021-26084 and enabling unauthenticated attackers to execute commands on a vulnerable server remotely.
As BleepingComputer reported this week, multiple threat actors began scanning for and exploiting this recently disclosed Confluence RCE vulnerability to install crypto miners after a PoC exploit was publicly released six days after Atlassian’s patches were issued.
Several cybersecurity companies have reported, both threat actors and security researchers are actively scanning for and exploiting unpatched Confluence servers.
For instance, Coalition Director of Engineering Tiago Henriques detected penetration testers attempting to find vulnerable Confluence servers.
Cybersecurity intelligence firm Bad Packets also spotted threat actors from multiple countries deploying and launching PowerShell or Linux shell scripts on compromised Confluence servers.
After analyzing exploit samples, BleepingComputer confirmed that the attackers are attempting to install crypto miners (e.g., XMRig Monero cryptocurrency miners) on Windows and Linux Confluence servers.
Even though these attackers are currently only deploying cryptocurrency miners, attacks can quickly escalate if the threat actors start moving laterally through corporate networks from hacked on-prem Confluence servers to drop ransomware payload and exfiltrate data.