US Cyber Command (USCYBERCOM) has issued an alert through Twitter at this time urging US organizations to patch a massively exploited Atlassian Confluence essential vulnerability instantly.
“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and anticipated to speed up,” said Cyber Nationwide Mission Pressure (CNMF).
The USCYBERCOM unit additionally pressured the significance of patching susceptible Confluence servers as quickly as doable: “Please patch instantly in case you haven’t already— this can not wait till after the weekend.”
This warning comes after Deputy Nationwide Safety Advisor Anne Neuberger encouraged organizations “to be on guard for malicious cyberactivity upfront of the vacation weekend” throughout a Thursday White Home press briefing.
— U.S. Cyber Command (@US_CYBERCOM) September 3, 2021
Atlassian Confluence is a extremely common web-based company group workspace designed to assist staff collaborate on numerous tasks.
On August 25, Atlassian issued safety updates to deal with the actively exploited Confluence distant code execution (RCE) vulnerability tracked as CVE-2021-26084, enabling unauthenticated attackers to execute instructions on a susceptible server remotely.
As BleepingComputer reported this week, a number of risk actors started scanning for and exploiting this not too long ago disclosed Confluence RCE vulnerability to put in crypto miners after a PoC exploit was publicly launched six days after Atlassian’s patches had been issued.
A number of cybersecurity corporations have reported, each risk actors and safety researchers are actively scanning for and exploiting unpatched Confluence servers.
As an example, Coalition Director of Engineering Tiago Henriques detected penetration testers looking for susceptible Confluence servers.
Cybersecurity intelligence agency Dangerous Packets additionally noticed risk actors from a number of international locations deploying and launching PowerShell or Linux shell scripts on compromised Confluence servers.
After analyzing exploit samples, BleepingComputer confirmed that the attackers are attempting to install crypto miners (e.g., XMRig Monero cryptocurrency miners) on Home windows and Linux Confluence servers.
Regardless that these attackers are at present solely deploying cryptocurrency miners, assaults can shortly escalate if the risk actors begin transferring laterally by way of company networks from hacked on-prem Confluence servers to drop ransomware payload and exfiltrate information.