https://www.zdnet.com/article/us-cybercom-says-mass-exploitation-of-atlassian-confluence-vulnerability-ongoing-and-expected-to-accelerate/ * Edition: + Asia + Australia + Europe + India + United Kingdom + United States + ZDNet around the globe: + ZDNet France + ZDNet Germany + ZDNet Korea + ZDNet Japan Search What are you looking for? [ ] Go * Videos * Windows 11 * 5G * Best VPNs * Cloud * Security * AI * more + Working from Home + Innovation + Best Web Hosting + ZDNet Recommends + Tonya Hall Show + Executive Guides + ZDNet Academy + See All Topics + Downloads + Reviews + Galleries + Videos * Newsletters * All Writers * + Preferences + Community + Newsletters + Log Out * * + What are you looking for? [ ] Go * Menu + Videos + Windows 11 + 5G + Best VPNs + Cloud + Security + AI + Working from Home + Innovation + Best Web Hosting + ZDNet Recommends + Tonya Hall Show + Executive Guides + ZDNet Academy + See All Topics + Downloads + Reviews + Galleries + Videos * * + o Preferences o Community o Newsletters o Log Out * us + Asia + Australia + Europe + India + United Kingdom + United States + ZDNet around the globe: + ZDNet France + ZDNet Germany + ZDNet Korea + ZDNet Japan US Cybercom says mass exploitation of Atlassian Confluence vulnerability 'ongoing and expected to accelerate' IT leaders have taken to Twitter to confirm that the exploitation is ongoing globally. * * * * * * * Jonathan Greig By Jonathan Greig | September 3, 2021 -- 21:26 GMT (14:26 PDT) | Topic: Security UPDATE: Jenkins project attacked through Atlassian Confluence vulnerability US Cybercom has sent out a public notice warning IT teams that CVE-2021-26084 -- related to Atlassian Confluence -- is actively being exploited. ZDNet Recommends The best cybersecurity certification: Deepen your knowledge The best cybersecurity certification: Deepen your knowledge Cybersecurity certifications can help you get your foot in the door into what has fast become an industry with a high demand for skilled staff. Here is how to get started. Read More "Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven't already -- this cannot wait until after the weekend," US Cybercom sent out in a tweet on Friday ahead of the Labor Day weekend holiday. A number of IT leaders took to social media to confirm that it was indeed being exploited. Atlassian released an advisory about the vulnerability on August 25, explaining that the "critical severity security vulnerability" was found in Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. "An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability," the company said in its advisory. They urged IT teams to upgrade to the latest Long Term Support release and said there is a temporary workaround if that is not possible. "You can mitigate the issue by running the script below for the Operating System that Confluence is hosted on," the notice said. The vulnerability only affects on-premise servers, not those hosted in the cloud. Multiple researchers have illustrated how the vulnerability can be exploited and released proofs-of-concept showing how it works. Bad Packets said they "detected mass scanning and exploited activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the US targeting Atlassian Confluence servers vulnerable to remote code execution." Censys explained in a blog post that over the last few days, their team has "seen a small shift in the number of vulnerable servers still running on the public internet." "On August 31st, Censys identified 13,596 vulnerable Confluence instances, while on September 02, that number has decreased to 11,689 vulnerable instances," Censys said. The company explained that Confluence is a "widely deployed Wiki service used primarily in collaborative corporate environments" and that in recent years it "has become the defacto standard for enterprise documentation over the last decade." "While the majority of users run the managed service, many companies opt to deploy the software on-prem. On August 25th, a vulnerability in Atlassian's Confluence software was made public. A security researcher named SnowyOwl (Benny Jacob) found that an unauthenticated user could run arbitrary code by targeting HTML fields interpreted and rendered by the Object-Graph Navigation Language (OGNL)," the blog said. "Yes, that is the same class of vulnerability used in the Equifax breach back in 2017. Just days before this vulnerability was made public, our historical data showed that the internet had over 14 637 exposed and vulnerable Confluence servers. Compare that to the current day, September 1st, where Censys identified 14 701 services that self-identified as a Confluence server, and of those, 13 596 ports and 12 876 individual IPv4 hosts are running an exploitable version of the software." vulnerable-confluence-servers-1.png vulnerable-confluence-servers-1.png A Censys chart showing how many servers are still vulnerable. Censys "There is no way to put this lightly: this is bad. Initially, Atlassian stated this was only exploitable if a user had a valid account on the system; this was found to be incorrect, and the advisory was updated today to reflect the new information. It's only a matter of time before we start seeing active exploitation in the wild as there have already been working exploits found scattered about," Censys added. Yaniv Bar-Dayan, CEO of Vulcan Cyber, told ZDNet that security teams need to fight fire with fire as they work to prioritize and remediate this Confluence flaw. Attackers shouldn't be the first to automate scans for this exploit, and hopefully, IT security teams are ahead of their adversaries in proactively identifying the presence of this vulnerability and are taking steps to mitigate it, Bar-Dayan said. "Given the nature of Atlassian Confluence, there is a very real chance components of the platform are Internet exposed," Bar-Dayan added. "This means that attackers won't need internal network access to exploit the RCE vulnerability. A patch is available, and administrators should deploy it with extra haste while also considering other mitigating actions such as ensuring no public access is available to the Confluence Server and services." BleepingComputer confirmed on Thursday that some threat actors are installing cryptominers on both Windows and Linux Confluence servers using the vulnerability. Security * T-Mobile hack: Everything you need to know * Surfshark VPN review: It's cheap, but is it good? * The best browsers for privacy * Cyber security 101: Protect your privacy * The best antivirus software and apps * The best VPNs for business and home use * The best security keys for 2FA * The ransomware threat is growing: What needs to happen to stop attacks getting worse? (ZDNet YouTube) Related Topics: Hardware Security TV Data Management CXO Data Centers * * * * * * * Jonathan Greig By Jonathan Greig | September 3, 2021 -- 21:26 GMT (14:26 PDT) | Topic: Security Show Comments LOG IN TO COMMENT * My Profile * Log Out | Community Guidelines Join Discussion Add Your Comment Add Your Comment More from Jonathan Greig * [][vpn-warning-revil-ranso] Security REvil ransomware group resurfaces after brief hiatus * [][smartsheet-logo] Finance Smartsheet beats Q2 expectations, reports $131.7 million revenue * [][scary-electrical] Security Watch out for digital Hurricane Ida scams: SEC * [][college-board-advanced-] Security Howard University announces ransomware attack, shuts down classes on Tuesday Please review our terms of service to complete your newsletter subscription. [ ] By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy. You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time. [ ] You agree to receive updates, alerts, and promotions from the CBS family of companies - including ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy. Continue Newsletters See All See All Related Stories * 1 of 3 * * [][adt-vs-ring] Home security: ADT vs Ring We compare ADT and Ring head-to-head to help you decide which of these home security system providers is right for you. * [][best-security-light-202] The best outdoor security light Upgrade your home security with one of our top picks for the best outdoor security light. Outdoor security lights have great features like motion sensors to make you feel safer at home. ... * [][the-best-outdoor-securi] The best outdoor security camera Have peace of mind while you are far from home or simply go to sleep without worrying about troublemakers or anything bad happening. Investing in an outdoor security camera can seem ... * [][tips-for-domestic-viole] Safe connectivity tips for domestic violence victims If you are a victim of domestic violence, it's possible your abuser has used technology to control you -- and may still be doing so even if you've left the relationship. ... * [][home-security-and-teen-] You can use your home security system to prevent teens from sneaking out, but should you? Parents are divided on whether that makes it right for them to counter tech-age threats with tech-age tools to monitor their kids. The question being faced is how using technology ... * [][vivint-home-security] Vivint home security review Vivint delivers top-of-the-line smart home tech, 24/7 professional monitoring, and good customer experience. * [][vpn-warning-revil-ranso] REvil ransomware group resurfaces after brief hiatus The 'Happy Blog' run by the group was back on Tuesday. * [][scary-electrical] Watch out for digital Hurricane Ida scams: SEC Hackers and scammers increasingly use headline-grabbing events to steal money people, particularly from those affected by storms and hurricanes. * [][college-board-advanced-] Howard University announces ransomware attack, shuts down classes on Tuesday The prominent HBCU was forced to cancel classes on Tuesday after a ransomware attack on September 3. ZDNet Connect with us (c) 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use * Topics * Galleries * Videos * Sponsored Narratives * Do Not Sell My Information * About ZDNet * Meet The Team * All Authors * RSS Feeds * Site Map * Reprint Policy * Manage | Log Out * Join | Log In * Membership * Newsletters * Site Assistance * ZDNet Academy