Confluence servers hacked to deploy AvosLocker, Cerber2021 ransomware

Confluence servers hacked to deploy AvosLocker, Cerber2021 ransomware
By Sergiu Gatlan
June 11, 2022 10:31 AM 0
Confluence

Ransomware gangs are now targeting a recently patched and actively exploited remote code execution (RCE) vulnerability affecting Atlassian Confluence Server and Data Center instances for initial access to corporate networks.

If successfully exploited, this OGNL injection vulnerability (CVE-2022-26134) enables unauthenticated attackers to take over unpatched servers remotely by creating new admin accounts and executing arbitrary code.


Soon after active exploitation was reported in the wild and Atlassian patched the bug, proof-of-concept exploits were also leaked online, lowering the skill level required for exploitation even further.

WiFi probing exposes smartphone users to tracking, info leaks
The severity of this security flaw and the already available exploits didn't go unnoticed, with multiple botnets and threat actors actively exploiting it in the wild to deploy cryptomining malware.

Ransomware starts circling unpatched Confluence servers
As researchers at Swiss cyber threat intelligence firm Prodaft discovered, AvosLocker ransomware affiliates have already jumped on the wagon.

They are now targeting and hacking into Internet-exposed Confluence servers still left unpatched "to infect multiple victims on a mass scale systematically."

This targeting is illustrated by a screenshot of AvosLocker's command and control server where a 'confluence' campaign has been created by the threat actors, as shown below.

AvosLocker Confluence campaign
AvosLocker Confluence campaign (Prodaft)
"By performing mass scans on various networks, AvosLocker threat actors search for vulnerable machines used to run Atlassian Confluence systems," Prodaft told BleepingComputer.

"AvosLocker has already managed to infect multiple organizations from different parts of the globe; including but not limited to the United States, Europe, and Australia."

BleepingComputer has also been told by numerous victims that Cerber2021 ransomware (also known as CerberImposter) is actively targeting and encrypting Confluence instances unpatched against CVE-2022-26134.

ID-Ransomware creator Michael Gillespie told BleepingComputer that submissions identified as CerberImposter include encrypted Confluence configuration files—showing that Confluence instances are getting encrypted in the wild.


The release of CVE-2022-26134 POC exploits coincides with an increase in the number of successful Cerber ransomware attacks.

Cerber ransomware activity
Cerber ransomware activity (ID-Ransomware)
Microsoft also confirmed Friday night that they have seen Confluence servers exploited to install Cerber2021.

Tweet by Microsoft

Cerber previously targeted Confluence servers worldwide in December 2021 using CVE-2021-26084 exploits that allow unauthenticated attackers to gain remote code execution on vulnerable systems.

Widely exploited in the wild
Since cybersecurity firm Volexity disclosed CVE-2022-26134 as an actively exploited zero-day bug last week, CISA has also ordered federal agencies to mitigate the flaw by blocking all internet traffic to Confluence servers on their networks.

Volexity also revealed that several China-linked threat actors are likely using exploits to target vulnerable servers to deploy web shells.

One day after information on this actively exploited bug was published, Atlassian released security updates and urged its customers to patch their installations to block ongoing attacks.

"We strongly recommend upgrading to a fixed version of Confluence as there are several other security fixes included in the fixed versions of Confluence," Atlassian said.

If you can't immediately upgrade your Confluence Server and Data Center instances, you can apply a temporary workaround that requires updating some JAR files on the Confluence server, as described here.