Atlassian Confluence data-wiping vulnerability exploited

Threat actors are trying to exploit CVE-2023-22518, a critical Atlassian Confluence flaw that allows unauthenticated attackers to reset vulnerable instances’ database, Greynoise is observing.

The Shadowserver Foundation has also seen 30+ IP addresses testing for the flaw in internet-facing Confluence installations.

From security updates to active exploitation

Atlassian released security updates for CVE-2023-22518 on October 31 and urged customers to upgrade quickly, even though there was no indication that the vulnerability was being targeted.

“Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch,” Atlassian advised.

On November 2, Atlassian CISO Bala Sathiamurthy confirmed that there was “publicly posted critical information about the vulnerability which increases risk of exploitation.” The day after (i.e., last Friday), the company confirmed that they received a customer report of an active exploit.

At least one PoC exploit for CVE-2023-22518 have since been published on GitHub.

Mitigation and remediation

While the vulnerability does not allow attackers to exfiltrate data, Atlassian says that if an instance has been compromised customers might experience significant data loss, and might not be able to connect to their instance’s URL or to properly authenticate to the instance anymore.

“If able to authenticate, the instance won’t have any content created and/or different content than it originally had,” the company warned.

Customers might also notice suspicious files and/or directories created under the /temp folder, and can search for indicators of compromise in their Confluence logs.

“Since the attack consists of resetting the instance’s content, recovering from a previous backup is the only way of recovering your data. If you believe your Confluence instance was compromised, contact Atlassian Support as Atlassian assistance is required to recover your instance,” the company added.

Customers lucky enough not to be hit should update their Confluence installation quickly, or back up their instance’s data and remove their instance from the public internet to minimize risk of exploitation.

UPDATE (November 8, 2023, 05:40 a.m. ET):

Atlassian has updated CVE-2023-22518’s CVSS score from 9.1 to 10 and added new indicators of compromise to the security advisory, since they now know that the vulnerability allows attackers to reset the database of vulnerable instances AND to create a Confluence instance administrator account.

“Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to a full loss of confidentiality, integrity and availability,” the company admitted.

Rapid7’s incident responders and Huntress researchers have also observed threat actors exploiting the flaw to deliver Cerber ransomware on exploited Confluence servers.

“The speed at which this campaign unfolded, with only a few days between the release of a patch and active, in-the-wild exploitation, emphasizes how quickly such adversaries work to identify and take advantage of distribution mechanisms for their wares,” Huntress researchers noted.

Don't miss