Ransomware gangs are now targeting unpatched Confluence servers. This active targeting is due to a recently disclosed vulnerability that allows the attacker to execute code remotely if properly exploited. Following several proof-of-concept exploits of the vulnerability that were leaked to the public threat actors have jumped at the chance to target unpatched servers.
On June 2, 2022, Atlassian the company behind Confluence servers released a security advisory warning customers that a zero-day vulnerability had been discovered impacting their server and data center products.
The zero-day received the designation CVE-2022-26134 and has been described by Atlassian as,
“Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. The OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.”
Further, Atlassian stressed the severity of the zero-day as critical, the highest severity rating that the company issues for vulnerabilities found in its products. At the time of the vulnerabilities disclosure, no patch was available to the public.
This was a short-lived problem as the next day the company announced that it had developed and released a patch. Atlassian strongly urges customers to patch their products and provided the following instructions on how best to do so,
“Atlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. You can download the latest version from the download centre.”
On June 5, reports began to emerge stating that proof-of-concept code that exploits the now patched vulnerability had been released to the wider public. Andrew Morris, CEO of security firm Grey Noise, tweeted, “Widespread Atlassian Confluence CVE-2022-26134 exploitation, specifically that is *confirmed functional*, has just started.
23 unique IPs so far.” From 23 unique IP addresses seen trying to exploit the vulnerability, it jumped to 211 within an incredibly short timeframe.
Exploit code seen by researchers explained how to create new admin accounts, force DNS requests, gather information, and generate reverse shells along with code that could be used to take advantage of the vulnerability.
Initial attacks would look to compromise the unpatched server but given the severity of the vulnerability, data theft is more than possible. Further, malware could be dropped onto compromised servers, including ransomware.
Ransomware Targeting Unpatched Servers
Fears of ransomware gangs looking to take advantage of the vulnerability would prove to be well-founded. Along with various botnets and malicious cryptomining operations, security researchers have discovered Cerber and AvosLocker ransomware gangs have been attempting to take advantage of the above-mentioned vulnerability.
AvosLocker was discovered in the middle of 2021 by security firm Cyble, who noted that the ransomware infects Windows machines to encrypt document files of the victim and asks for ransom as part of its extortion program, typical ransomware behavior.
AvosLocker appends the encrypted files with the extension .avos and forces victims to pay ransom for the decryption tool for recovering their data. Researchers discovered that the AvosLocker ransomware gang uses spam email campaigns or distrustful advertisements as the primary delivery mechanisms.
As for the malware’s encryption routine, it uses a customized Advanced Encryption Standard (AES) with a block size of 256 to encrypt the data.
Researchers also discovered that the ransomware is actively being upgraded to be offered as a Ransomware-as-a-Service package along with the ransomware being converted to a package with a console for easier use by potential affiliates.
Cerber’s history is a little more cloaked in Shadow. In 2016 when ransomware was beginning to gain a lot of traction within the cyber criminal community Cerber quickly emerged to be a prominent player. By 2019, Cerber activity had all but ceased. Then in December 2021, Cerber would make a dramatic comeback.
The new and improved Cerber featured encryption modules that could target both Windows and Linux machines. What more is that the new Cerber was actively targeting Confluence servers, vulnerability CVE-2021-26084 along with a vulnerability discovered in the popular code repository GitHub.
During this attack, the ransomware’s operators were demanding between 1000 and 3000 USD. Researchers also noted how Cerber would not target countries that made up the old Soviet block.
This is a common tactic for Russian-speaking malware developers so as not to draw the ire of Russian law enforcement.
This is yet another reminder to network admins and the public at large to regularly keep software and hardware up to date.
While the above-mentioned vulnerability was disclosed without a patch available, a patch was made available in a short period protecting consumers from having their servers compromised.