News
CVSS score 10! Atlassian Confluence Linux instances targeted with Cerber ransomware
April 2024 by Sylvain Cortes, VP Strategy at Hackuity
A severe vulnerability in Atlassian Confluence Data Centre and Server, with a CVSS score that started at 9.1 and was swiftly escalated to the maximum of 10 following active exploitation, was used to deploy a Linux variant of Cerber ransomware.
Researchers found that attackers exploited the improper authorization vulnerability, CVE-2023-22518, to drop an Effluence web shell plugin that enabled the execution of Cerber, according to reports.
The flaw allows attackers to make malicious requests to the “setup-restore” endpoint of a vulnerable instance that allows the to reset this and create a new admin account. From here, they can install new modules, like the Effluence web shell, to achieve arbitrary code execution.
Sylvain Cortes, VP Strategy, Hackuity
“This is a serious and urgent issue that affects many Atlassian users. A critical vulnerability in Confluence allows attackers to reset the system and create an admin account, which they use to install a web shell and deploy a Linux variant of Cerber ransomware. This can lead to data encryption, extortion, and system compromise.
I strongly advise all Confluence users to patch their servers as soon as possible and check for any signs of compromise.
Most active exploits of vulnerabilities can be avoided. To enhance prevention, companies need to establish regular prioritisation of vulnerabilities to stay ahead of attackers. By bringing together all identifiable network vulnerabilities, a comprehensive view of cyber risk can be obtained. Now, more than ever, companies must adopt continuous, automated Vulnerability Management to reduce the risk to their business data, revenue, and reputation. If you suspect that your system has been infected via this flaw, you should disconnect it from the network, contact a security expert, and report the incident to the authorities.”
