US Cyber Command (USCYBERCOM) has issued a uncommon alert right this moment urging US organizations to patch a massively exploited Atlassian Confluence important vulnerability instantly.
“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and anticipated to speed up,” said Cyber Nationwide Mission Power (CNMF).
The USCYBERCOM unit additionally harassed the significance of patching weak Confluence servers as quickly as attainable: “Please patch instantly if you happen to haven’t already— this can’t wait till after the weekend.”
This warning comes after Deputy Nationwide Safety Advisor Anne Neuberger encouraged organizations “to be on guard for malicious cyberactivity prematurely of the vacation weekend” throughout a Thursday White Home press briefing.
It is the second alert of this type within the final 12 months, the earlier one (from June) notifying that CISA was conscious that risk actors might attempt to exploit a distant code execution vulnerability affecting all vCenter Server installs.
CISA additionally urged customers and admins right this moment to right away apply the Confluence security updates not too long ago issued by Atlassian.
— U.S. Cyber Command (@US_CYBERCOM) September 3, 2021
Atlassian Confluence is a extremely well-liked web-based company staff workspace designed to assist staff collaborate on numerous tasks.
On August 25, Atlassian issued security updates to handle the actively exploited Confluence distant code execution (RCE) vulnerability tracked as CVE-2021-26084 and enabling unauthenticated attackers to execute instructions on a weak server remotely.
As BleepingComputer reported this week, a number of risk actors started scanning for and exploiting this not too long ago disclosed Confluence RCE vulnerability to put in crypto miners after a PoC exploit was publicly launched six days after Atlassian’s patches had been issued.
A number of cybersecurity corporations have reported, each risk actors and safety researchers are actively scanning for and exploiting unpatched Confluence servers.
As an illustration, Coalition Director of Engineering Tiago Henriques detected penetration testers looking for weak Confluence servers.
Cybersecurity intelligence agency Unhealthy Packets additionally noticed risk actors from a number of nations deploying and launching PowerShell or Linux shell scripts on compromised Confluence servers.
After analyzing exploit samples, BleepingComputer confirmed that the attackers are attempting to install crypto miners (e.g., XMRig Monero cryptocurrency miners) on Home windows and Linux Confluence servers.
Though these attackers are presently solely deploying cryptocurrency miners, assaults can rapidly escalate if the risk actors begin transferring laterally by means of company networks from hacked on-prem Confluence servers to drop ransomware payload and exfiltrate knowledge.