Unpatched Confluence Servers Targeted by Ransomware Gangs

Ransomware gangs are now targeting unpatched Confluence servers. This active targeting is due to a recently disclosed vulnerability that allows the attacker to execute code remotely if properly exploited. Following several proof-of-concept exploits of the vulnerability that were leaked to the public threat actors have jumped at the chance to target unpatched servers.

On June 2, 2022, Atlassian the company behind Confluence servers released a security advisory warning customers that a zero-day vulnerability had been discovered impacting their server and data center products. confluence servers vulnerable to rasnsomware

The zero-day received the designation CVE-2022-26134 and has been described by Atlassian as,

“Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.”

Further, Atlassian stressed the severity of the zero-day as critical, the highest severity rating that the company issues for vulnerabilities found in its products. At the time of the vulnerabilities disclosure, no patch was available to the public.

This was a short-lived problem as the next day the company announced that it had developed and released a patch. Atlassian strongly urges customers to patch their products and provided the following instructions on how best to do so,

“Atlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. You can download the latest version from the download centre.”

On June 5, reports began to emerge stating that proof-of-concept code that exploits the now patched vulnerability had been released to the wider public. Andrew Morris, CEO of security firm Grey Noise, tweeted, “Widespread Atlassian Confluence CVE-2022-26134 exploitation, specifically that is *confirmed functional*, has just started.

23 unique IPs so far.” From 23 unique IP addresses seen trying to exploit the vulnerability, it jumped to 211 within an incredibly short timeframe.

Exploit code seen by researchers explained how to create new admin accounts, force DNS requests, gather information, and generate reverse shells along with code that could be used to take advantage of the vulnerability.

Initial attacks would look to compromise the unpatched server but given the severity of the vulnerability, data theft is more than possible. Further, malware could be dropped onto compromised servers, including ransomware.

Ransomware Targeting Unpatched Servers

Fears of ransomware gangs looking to take advantage of the vulnerability would prove to be well-founded. Along with various botnets and malicious cryptomining operations, security researchers have discovered Cerber and AvosLocker ransomware gangs have been attempting to take advantage of the above-mentioned vulnerability.

AvosLocker was discovered in the middle of 2021 by security firm Cyble, who noted that the ransomware infects Windows machines to encrypt document files of the victim and asks for ransom as part of its extortion program, typical ransomware behavior.

AvosLocker appends the encrypted files with the extension .avos and forces victims to pay ransom for the decryption tool for recovering their data. Researchers discovered that the AvosLocker ransomware gang uses spam email campaigns or distrustful advertisements as the primary delivery mechanisms.

As for the malware’s encryption routine, it uses a customized Advanced Encryption Standard (AES) with a block size of 256 to encrypt the data.

Researchers also discovered that the ransomware is actively being upgraded to be offered as a Ransomware-as-a-Service package along with the ransomware being converted to a package with a console for easier use by potential affiliates.

Cerber’s history is a little more cloaked in Shadow. In 2016 when ransomware was beginning to gain a lot of traction within the cyber criminal community Cerber quickly emerged to be a prominent player. By 2019, Cerber activity had all but ceased. Then in December 2021, Cerber would make a dramatic comeback.

The new and improved Cerber featured encryption modules that could target both Windows and Linux machines. What more is that the new Cerber was actively targeting Confluence servers, vulnerability CVE-2021-26084 along with a vulnerability discovered in the popular code repository GitHub.

During this attack, the ransomware’s operators were demanding between 1000 and 3000 USD. Researchers also noted how Cerber would not target countries that made up the old Soviet block.

This is a common tactic for Russian-speaking malware developers so as not to draw the ire of Russian law enforcement.

This is yet another reminder to network admins and the public at large to regularly keep software and hardware up to date.

While the above-mentioned vulnerability was disclosed without a patch available, a patch was made available in a short period protecting consumers from having their servers compromised.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal