The United States Cybersecurity and Infrastructure Safety Company (CISA) has recommended executive organizations — and instructed non-public sector corporations — to handle a just lately disclosed Confluence vulnerability that has been exploited in assaults.
The crucial vulnerability, tracked as CVE-2022-26138, is said to the life of an account named ‘disabledsystemuser’ within the Questions for Confluence app, which is designed to assist admins migrate information from the app to Confluence Cloud. The issue is this account is created with a hardcoded password and is added to the ‘confluence-users’ workforce, which permits viewing and modifying non-restricted pages in Confluence by way of default.
A faraway, unauthenticated attacker can make the most of the account to log into Confluence and get entry to any web page the person workforce has get entry to to.
Atlassian printed its preliminary advisory on July 20 and day after today it knowledgeable consumers that any individual had made the hardcoded password public on Twitter, and stated it anticipated to look in-the-wild exploitation consequently.
Exploitation makes an attempt had been observed by way of Rapid7, the Shadowserver Basis and risk intelligence corporate GreyNoise. GreyNoise information presentations exploitation makes an attempt beginning on July 22 and spiking on July 25. The company continues to look assaults coming from as much as a dozen distinctive IP addresses on a daily basis. Evidence-of-concept (PoC) exploits also are being publicly launched.
No knowledge has been made to be had on who is trying to milk the vulnerability and what they’re making an attempt to reach. It’s now not unusual for risk actors to focus on Confluence flaws of their assaults, together with to ship ransomware and different malware.
CISA has recommended executive companies to take steps to patch or mitigate CVE-2022-26138 by way of August 19.
Atlassian has additionally up to date its advisory to tell consumers about lively exploitation of the vulnerability. The corporate has instructed customers to replace the Questions for Confluence app — the most recent model not creates the problematic account — and to manually disable or take away the ‘disabledsystemuser’ account. The seller famous that uninstalling the app does now not mechanically take away the account.
In a July 30 replace to its preliminary advisory, Atlassian identified that the ‘disabledsystemuser’ account is configured to ship e-mail notifications to ‘dontdeletethisuser(at)e-mail.com’, an deal with that the seller does now not regulate.
“If this vulnerability has now not been remediated […], an affected example configured to ship notifications will e-mail that deal with. One instance of an e-mail notification is Advisable Updates Notifications, which incorporates a record of the highest pages from Confluence areas the person has permissions to view. Atlassian is actively running with the provider supplier for the 3rd birthday celebration e-mail deal with to analyze and shut the account,” the corporate stated.
Comparable: USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Forward of Vacation Weekend
Comparable: Cybercriminals, State-Subsidized Risk Actors Exploiting Confluence Server Vulnerability
Comparable: Atlassian Confluence Servers Hacked by way of 0-Day Vulnerability
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He labored as a highschool IT trainer for 2 years sooner than beginning a occupation in journalism as Softpedia’s safety information reporter. Eduard holds a bachelor’s stage in business informatics and a grasp’s stage in laptop tactics implemented in electric engineering.
Tags:
