This attack is ongoing. See the
Updates section at the end of this post for new information as it comes to light.
On August 25, 2021, Atlassian published details on CVE-2021-26084, a critical remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability arises from an OGNL injection flaw and allows unauthenticated attackers to execute arbitrary code on Confluence Server or Data Center instances. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
Proof-of-concept exploit code has been publicly available since August 31, 2021, and both Rapid7 and community researchers have observed active exploitation as of September 2. Organizations that have not patched this Confluence Server and Confluence Data Center vulnerability should do so on an emergency basis.
For a complete list of fixed versions, see Atlassian’s advisory here.
For full vulnerability analysis, including triggers and check information, see Rapid7’s analysis in AttackerKB.
Rapid7's Managed Detection and Response (MDR) team has observed active exploitation against vulnerable Confluence targets. InsightIDR customers should ensure that the Insight Agent is installed on all Confluence servers to maximize post-compromise detection visibility.
InsightVM and Nexpose customers can assess their exposure to CVE-2021-26084 with remote vulnerability checks as of the August 26, 2021 content release.
September 2, 2021:
The Rapid7 Threat Detection & Response team added or updated the following detections to InsightIDR to help you identify successful exploitation of this vulnerability:
- Suspicious Process - Curl Downloading Shell Script detects when the Curl utility is being used to download a shell script. The Curl utility is often used by malicious actors to download additional payloads on compromised Linux systems.
- Suspicious Process - Confluence Java App Launching Processes identifies processes being launched by the Atlassian Confluence server app. Malicious actors have been observed exploiting CVE-2021-26084, a vulnerability for Confluence disclosed in August 2021 which can allow execution of arbitrary processes.
- Suspicious Process - Common Compromised Linux Webserver Commands identifies commands that Rapid7 has observed being run on compromised Linux webservers.
September 3, 2021:
Attacks are continuing to increase, therefore Rapid7 has updated the patching priority to "patch on an emergency basis."
The US Cyber Command has tweeted guidance asking for organizations to "patch immediately" as "this cannot wait until after the weekend."
CISA has also released a ransomware awareness guide for holidays and weekends.
Current attacks have been focused on deploying coin miners, but the pivot to deploying ransomware may not take long.
September 7, 2021:
Atlassian has updated their advisory on CVE-2021-26084 to note that the vulnerability is exploitable by unauthenticated attackers regardless of configuration. Widespread exploitation is ongoing.
October 4, 2021
Sophos is sharing details about a ransomware attack utilizing this vulnerability to provide the attacker's initial access.