Threat actors are actively exploiting vulnerabilities in Confluence Servers. Here's what you need to know.
Background
In September, Atlassian issued a security advisory for a vulnerability (CVE-2021-26084) affecting on-premise Confluence servers. The vulnerability allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. Although this vulnerability was disclosed in September, we are now hearing from threat intelligence sources that ransomware groups are actively exploiting the vulnerability to encrypt Confluence servers. Attacks have been observed impacting both Windows and Linux systems.
Quick facts: what you need to know now
- The affected servers are:
-
- Versions before 6.13.23
- Versions 6.14.0 through 7.4.11
- Versions 7.5.0 through 7.11.6
- Versions 7.12.0 through 7.12.5
-
- Attacks have been observed impacting both Windows and Linux systems.
- An unauthenticated user can execute arbitrary commands on vulnerable servers which grants them full control over the unpatched system. This provides threat actors the ability to compromise the system and execute malicious files like ransomware.
Next Steps for All Confluence Server and Data Center Customers:
- Update to one of the released versions which contains the fix for the issue,
- Review web server and system logs for suspicious login activity. If suspicious activity is identified during review:
-
- Reset all user admin credentials and ensure MFA is enabled.
- Immediately notify Corvus of a potential claim via the email or hotline listed on your policy. We will then connect you to counsel and a forensics firm to ensure your organization properly investigates, mitigates, and responds to the threat.
-
Additional Resources
Confluence security advisory: https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!