200k companies potentially vulnerable to Atlassian zero-day vulnerability


Western governments and high-profile private sector organizations remain vulnerable to Atlassian vulnerability weeks after this critical zero-day flaw was initially discovered.

An Australian software giant providing products for developers and managers issued a patch for Confluence Server and Data Center vulnerability on June 3. However, multiple security researchers pointed out that this zero-day vulnerability is still being exploited in the wild as many companies continue to operate a vulnerable version of Confluence.

According to Microsoft, multiple adversaries and nation-state actors are taking advantage of the Atlassian Confluence flaw. The malicious activity that the company observed includes the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware.

"In particular, we observed the CVE-2022-26134 [Confluence vulnerability] being exploited to download and deploy the Cerber2021 ransomware," Microsoft said last Friday.

According to a cybersecurity rating company BitSight, close to 200,000 companies are dependent on at least one organization that is potentially vulnerable, meaning this represents a significant supply chain risk to many entities.

"This vulnerability allows an unauthenticated attacker to remotely take control of a server hosting a vulnerable Confluence instance," Stephen Boyer, Chief Technology Officer at BitSight, told Cybernews. "The attacker can create new admin accounts and run arbitrary code, opening up the potential for ransomware deployment, data theft, and more. Threat actors may choose to directly attack a target organization using vulnerable instances of Confluence, or they may choose to attack an organization in the target's third-party ecosystem."

After scanning the internet to identify potentially exposed internet-facing applications, it concluded that many high-profile private sectors and government organizations are still potentially vulnerable, including:

- A major metropolitan city located on the East Coast of the United States.

- A Fortune 500 technology firm.

- A State university system located on the West Coast of the United States.

- A national government located in Western Europe.

- A major metropolitan city located in Western Europe.

- A national APAC government.

- A national Ministry of Education located in APAC.

The company observed that approximately 60% of at-risk organizations in the US and EMEA are no longer operating the vulnerable version of Confluence, meaning the rest of them are. Outside this region, approximately 55% of organizations are still at risk.

Confluence is a widespread documentation and collaboration software used by half of Fortune 500 companies.

"Once vulnerabilities of this kind are announced, there is typically a strong remediation response. However, after the first week, it is common for remediation to roughly stand around 50%," Boyer said.

Companies might not patch their systems due to poor or incomplete system inventory processes, incomplete patching management, an insufficient number of IT vendors and human resources, and a lack of support for a specific software product.

"In most cases, a group of servers remains vulnerable for months if not years, leaving owner-organizations vulnerable to cybercrime," he added.

The critical vulnerability in Atlassian products was first announced by researchers at cybersecurity firm Volexity. Atlassian is an Australian software giant providing products for developers and managers.

The company has released an advisory on mitigation of the vulnerability. At the same time, Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its catalog, requiring US federal institutions to block internet traffic to Confluence servers on their networks.