A recently fixed critical security flaw in Atlassian Confluence Server and Data Center products is actively weaponizing in real-world attacks to drop cryptocurrency miners and ransomware payloads.
In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, attackers exploited the vulnerability to target Cerber ransomware and a crypto miner z0miner mentioned on victim networks.
the beast (CVE-2022-26134, CVSS score: 9.8), patched by Atlassian on June 3, 2022, allows an unauthenticated actor to inject malicious code that paves the way for remote code execution (RCE) on affected installations of the collaboration suite. All supported versions of Confluence Server and Data Center are affected.
Other notable malware being pushed as part of disparate cases of attack activity include Mirai and Kinsing bot variants, a rogue package called pwnkit, and Cobalt Strike via a web shell deployed after it gains a foothold in the compromised system.
“The vulnerability, CVE-2022-26134, allows an attacker to spawn a remotely accessible shell in memory without writing anything to the server’s local storage,” said Andrew Brandt, lead researcher on the server. security at Sophos. said†
The disclosure overlaps with similar warnings from Microsoft, which: revealed last week that “multiple adversaries and nation-state actors, including” DEV-0401 and DEV-0234, taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134.”
DEV-0401, described by Microsoft as a “China-based lone wolf turned LockBit 2.0 partner”, has also previously been linked to ransomware deployments targeting Internet-facing systems with VMWare Horizon (Log4Shell), Confluence (CVE-2021 -26084), and on-premises Exchange servers (ProxyShell).
The development marks an ongoing trend where threat actors are increasingly taking advantage of newly revealed critical vulnerabilities rather than exploiting publicly known, dated software flaws for a broad spectrum of targets.